Lightweight Detection Method for IoT Mirai Botnet

doi:10.3969/j.issn.1671-1122.2024.05.002

Abstract

Abstract:

Aiming at the shortcomings of traditional detection methods for IoT Mirai botnet traffic data, which include long detection times, high resource consumption, and inadequate accuracy due to the high dimensionality and large scale of data, this study researched and proposed an IoT botnet traffic detection (IBTD-EFS) method based on integrated feature selection. Firstly, to reduce the feature dimension of network traffic data samples and obtain an optimal subset of features, an integrated feature selection (EFS-FGGA) algorithm combining feature grouping and genetic algorithm was proposed. Then, to efficiently detect Mirai botnet traffic, an IoT botnet traffic classification (IBTC-XGB) algorithm based on extreme gradient boosting was introduced. Lastly, by combining the aforementioned EFS-FGGA and IBTC-XGB algorithms, the IBTD-EFS method for IoT botnet traffic detection was further proposed. Experimental results indicate that the IBTD-EFS method can overcome the heterogeneity of IoT devices, achieving a detection accuracy of 99.95% for Mirai botnet traffic and keeps the time overhead low. It is evident that the IBTD-EFS method provides an efficient solution for IoT Mirai botnet traffic detection.

Key words: IoT, botnet, feature selection, genetic algorithm, traffic detection

CLC Number:

TP309

LI Zhihua, CHEN Liang, LU Xulin, FANG Zhaohui, QIAN Junhao. Lightweight Detection Method for IoT Mirai Botnet[J]. Netinfo Security, 2024, 24(5): 667-681.

Figures/Tables 11

References 37

[1]	STATISTA R D. Internet of Things-Number of Connected Devices Worldwide 2012-2025[EB/OL]. (2016-11-27)[2024-02-02]. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/.
[2]	ZHANG Ye, LI Zhihua, WANG Changjie. Kernel Density Estimation-Based Lightweight IoT Anomaly Traffic Detection Method[J]. Computer Science, 2021, 48(9): 337-344. doi: 10.11896/jsjkx.200600108
	张叶, 李志华, 王长杰. 基于核密度估计的轻量级物联网异常流量检测方法[J]. 计算机科学, 2021, 48(9): 337-344. doi: 10.11896/jsjkx.200600108
[3]	ANTONAKAKIS M, APRIL T, BAILEY M, et al. UnderStanding the Mirai Botnet[C]// USENIX. 26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 1093-1110.
[4]	SHOBANA M, RATHI S. IoT Malware: An Analysis of IoT Device Hijacking[J]. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 2018, 5: 2456-3307.
[5]	KHAN A, SHARMA I. Tackling Okiru Attacks in IoT with AI-Driven Detection and Mitigation Strategies[C]// IEEE. 2023 International Conference on Power Energy, Environment & Intelligent Control (PEEIC). New York: IEEE, 2023: 336-341.
[6]	ABBAS S G, HASHMAT F, SHAH G A, et al. Generic Signature Development for IoT Botnet Families[EB/OL]. (2021-09-01)[2024-02-25]. https://www.sciencedirect.com/science/article/abs/pii/S2666281721001323.
[7]	BLAISE A, BOUET M, CONAN V, et al. Detection of Zero-Day Attacks: An Unsupervised Port-Based Approach[EB/OL]. (2020-10-01)[2024-02-25]. https://www.sciencedirect.com/science/article/abs/pii/S1389128620300761.
[8]	PANDA M, ABD ALLAH A M, HASSANIEN A E. Developing an Efficient Feature Engineering and Machine Learning Model for Detecting IoT-Botnet Cyber Attacks[J]. IEEE Access, 2021, 9: 91038-91052.
[9]	SAFITRI W A, AHMAD T, HOSTIADI D P. Analyzing Machine Learning-Based Feature Selection for Botnet Detection[C]// IEEE. 2022 1st International Conference on Information System & Information Technology (ICISIT). New York: IEEE, 2022: 386-391.
[10]	LEFOANE M, GHAFIR I, KABIR S, et al. Machine Learning for Botnet Detection: An Optimized Feature Selection Approach[C]// ACM. The 5th International Conference on Future Networks & Distributed Systems. New York: ACM, 2022: 195-200.
[11]	NIMBALKAR P, KSHIRSAGAR D. Feature Selection for Intrusion Detection System in Internet-of-Things (IoT)[J]. ICT Express, 2021, 7(2): 177-181.
[12]	BAHSI H, NOMM S, TORRE F B L. Dimensionality Reduction for Machine Learning Based IoT Botnet Detection[C]// IEEE. 2018 15th International Conference on Control, Automation, Robotics and Vision (ICARCV). New York: IEEE, 2018: 1857-1862.
[13]	GUERRA M A, BAHSI H, NOMM S. Hybrid Feature Selection Models for Machine Learning Based Botnet Detection in IoT Networks[C]// IEEE. 2019 International Conference on Cyberworlds (CW). New York: IEEE, 2019: 324-327.
[14]	SHAFIQ M, TIAN Zhihong, BASHIR A K, et al. CorrAUC: A Malicious Bot-IoT Traffic Detection Method in IoT Network Using Machine-Learning Techniques[J]. IEEE Internet of Things Journal, 2020, 8(5): 3242-3254.
[15]	LEE J, PARK D, LEE C. Feature Selection Algorithm for Intrusions Detection System Using Sequential forward Search and Random Forest Classifier[J]. KSII Transactions on Internet and Information Systems (TIIS), 2017, 11(10): 5132-5148.
[16]	ALAM T, QAMARS, DIXIT A, et al. Genetic Algorithm: Reviews, Implementations, and Applications[EB/OL]. (2020-06-05)[2024-02-25]. https://arxiv.org/abs/2007.12673.
[17]	LIU Xiangyu, DU Yanhui. Towards Effective Feature Selection for IoT Botnet Attack Detection Using a Genetic Algorithm[EB/OL]. (2023-02-07)[2024-02-25]. https://www.mdpi.com/2079-9292/12/5/1260.
[18]	DESAI M G, SHI Yong, SUO Kun. IoT Bonet and Network Intrusion Detection Using Dimensionality Reduction and Supervised Machine Learning[C]// IEEE. 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). New York: IEEE, 2020: 316-322.
[19]	SOE Y N, FENG Yaokai, SANTOSA P I, et al. Machine Learning-Based IoT-Botnet Attack Detection with Sequential Architecture[EB/OL]. (2020-08-05)[2024-02-25]. https://www.mdpi.com/1424-8220/20/16/4372.
[20]	ALSHEHRI M S, AHMAD J, ALMAKDI S, et al. SkipGateNet: A Lightweight CNN-LSTM Hybrid Model with Learnable Skip Connections for Efficient Botnet Attack Detection in IoT[J]. IEEE Access, 2024, 12(12): 35521-35538.
[21]	LUU C D, NGUYEN V Q, PHAM T S, et al. A Zero-Shot Deep Learning Approach for Unknown IoT Botnet Attack Detection[C]// IEEE. 2023 RIVF International Conference on Computing and Communication Technologies (RIVF). New York: IEEE, 2023: 278-283.
[22]	XU Zhaozhao, SHEN Derong, NIE Tiezheng, et al. Hybrid Feature Selection Algorithm Combining Information Gain Ratio and Genetic Algorithm[J]. Journal or Software, 2022, 33(3): 1128-1140.
	许召召, 申德荣, 聂铁铮, 等. 融合信息增益比和遗传算法的混合式特征选择算法[J]. 软件学报, 2022, 33(3): 1128-1140.
[23]	PAUL A, MUKHERJEE D P, DAS P, et al. Improved Random Forest for Classification[J]. IEEE Transactions on Image Processing, 2018, 27(8): 4012-4024. doi: 10.1109/TIP.2018.2834830 pmid: 29993742
[24]	KE Guolin, MENG Qi, FINLEY T, et al. LightGBM: A Highly Efficient Gradient Boosting Decision Tree[EB/OL]. (2017-12-04)[2024-02-25]. https://proceedings.neurips.cc/paper/2017/hash/6449f44a102fde848669bdd9eb6b76fa-Abstract.html.
[25]	GOPIKA N, ME A M K. Correlation Based Feature Selection Algorithm for Machine Learning[C]// IEEE. 2018 3rd International Conference on Communication and Electronics Systems (ICCES). New York: IEEE, 2018: 692-695.
[26]	VERGARA J R, ESTEVEZ P A. A Review of Feature Selection Methods Based on Mutual Information[J]. Neural Computing and Applications, 2014, 24: 175-186.
[27]	LYU Yang, FENG Yaokai, SAKURAI K. A Survey on Feature Selection Techniques Based on Filtering Methods for Cyber Attack Detection[EB/OL]. (2023-03-15)[2024-02-25]. https://www.mdpi.com/2078-2489/14/3/191.
[28]	HUANG C L, WANG C J. A GA-Based Feature Selection and Parameters Optimization for Support Vector Machines[J]. Expert Systems with Applications, 2006, 31(2): 231-240.
[29]	ALEJANDRE F V, CORTES N C, ANAYA E A. Feature Selection to Detect Botnets Using Machine Learning Algorithms[C]// IEEE. 2017 International Conference on Electronics, Communications and Computers (CONIELECOMP). New York: IEEE, 2017: 1-7.
[30]	WIYONO R T, CAHYANI N D W. Performance Analysis of Decision Tree C4.5 as a Classification Technique to Conduct Network Forensics for Botnet Activities in Internet of Things[C]// IEEE. 2020 International Conference on Data Science and Its Applications (ICoDSA). New York: IEEE, 2020: 1-5.
[31]	IFTIKHAR S, AL-MADANI D, ABDULLAH S, et al. A Supervised Feature Selection Method for Malicious Intrusions Detection in IoT Based on Genetic Algorithm[J]. International Journal of Computer Science & Network Security, 2023, 23(3): 49-56.
[32]	AN Ting. Application of Genetic Algorithm Based on F-Ratio Rule in Signal Feature Selection[C]// IEEE. 2017 10th International Symposium on Computational Intelligence and Design (ISCID). New York: IEEE, 2017: 492-495.
[33]	LI Juan. A Feature Subset Selection Algorithm Based on Feature Activity and Improved GA[C]// IEEE. 2015 11th International Conference on Computational Intelligence and Security (CIS). New York: IEEE, 2015: 206-210.
[34]	ABDI H, WILLIAMS L J. Normalizing Data[J]. Encyclopedia of Research Design, 2010, 1: 935-938.
[35]	CHEN Tianqi, GUESTRIN C. XGBoost: A Scalable Tree Boosting System[C]// ACM. Proceedings of the 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. New York: ACM,2016: 785-794.
[36]	HAN Lu, LI Wenjun, SU Zhi. An Assertive Reasoning Method for Emergency Response Management Based on Knowledge Elements C4.5 Decision Tree[J]. Expert Systems with Applications, 2019, 122: 65-74.
[37]	MEIDAN Y, BOHADANA M, MATHOV Y, et al. N-Baiot—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders[J]. IEEE Pervasive Computing, 2018, 17(3): 12-22.

聚合类型	分类码	特征统计	特征数/个
Host-IP	H	Packet Count, mean, variance	15
Host-Mac&IP	MI		15
Network Jitter	HH_Jit		15
Channel	HH	Packet Count, mean, variance, Magnitude, Radius, Covariance, Correlation Coefficient	35
Socket	HpHp		35

设备类型	恶意样本数/个	正常样本数/个
Doorbell (Danmini)	49500	49500
Thermostat (Ecobee)	13100	13100
Baby Monitor (B120N10)	75200	75200
Security Camera (PT_737E)	62100	62100
Security Camera (PT_838)	98500	98500
Security Camera (XCS7_1002_WHT)	46500	46500
Security Camera (XCS7_1003_WHT)	19500	19500

参数名称	符号	取值
特征排序截取阈值	$K$	20
最大迭代次数	$Ma{{x}_{G}}$	80
种群大小	${{n}_{0}}$	50
惩罚阈值	$\theta $	3
惩罚因子	$c$	0.0005
交叉概率	${{P}_{c1}}$,${{P}_{c2}}$	0.9, 0.6
变异概率	${{P}_{m1}}$,${{P}_{m2}}$	0.1, 0.001

特征索引	特征名称	含义
0	H_L5_weight	目的主机在5 s内发送报文数量
28	H_L0.01_mean	目的主机在100 ms内发送报文数量均值
29	H_L0.01_variance	目的主机在100 ms内发送报文数量方差

	精确率	召回率	F1值	准确率	特征数量/个
无特征降维算法	99.92%	99.96%	99.93%	99.93%	115
PCA	99.79%	99.73%	99.76%	99.76%	10
Fisher评分法	99.46%	99.87%	99.67%	99.67%	3
EFS-FGGA	99.99%	99.97%	99.98%	99.98%	3