Skip to main content
SpringerLink
Log in

A novel graph-based approach for IoT botnet detection

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. These IoT devices can communicate with others over the Internet and fully integrate into people’s daily life. In recent years, IoT devices still suffer from basic security vulnerabilities making them vulnerable to a variety of threats and malware, especially IoT botnets. Unlike common malware on desktop personal computer and Android, heterogeneous processor architecture issue on IoT devices brings various challenges for researchers. Many studies take advantages of well-known dynamic or static analysis for detecting and classifying botnet on IoT devices. However, almost studies yet cannot address the multi-architecture issue and consume vast computing resources for analyzing. In this paper, we propose a lightweight method for detecting IoT botnet, which based on extracting high-level features from function–call graphs, called PSI-Graph, for each executable file. This feature shows the effectiveness when dealing with the multi-architecture problem while avoiding the complexity of control flow graph analysis that is used by most of the existing methods. The experimental results show that the proposed method achieves an accuracy of 98.7%, with the dataset of 11,200 ELF files consisting of 7199 IoT botnet samples and 4001 benign samples. Additionally, a comparative study with other existing methods demonstrates that our approach delivers better outcome. Lastly, we make the source code of this work available to Github.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Burhan, M., Rehman, R.A., Khan, B., Kim, B.-S.: IoT elements, layered architectures and security issues: a comprehensive survey. Sensors 18(9), 2796 (2018)

    Article  Google Scholar 

  2. Tankard, C.: Digital pathways, the security issues of the internet of things. Comput Fraud Secur 2015(9), 11–14 (2015)

    Article  Google Scholar 

  3. Gartner. https://www.gartner.com/newsroom/id/3291817. Accessed 10 Feb 2019

  4. New trends in the world of IoT threats. https://securelist.com/new-trends-in-the-world-of-iot-threats/87991. Accessed 10 May 2019

  5. Angrishi, K.: Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets, preprint (2017). arXiv:1702.03681

  6. De Donno, Michele, Dragon, Nicola, Giaretta, Alberto: DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation. Journal Security and Communication Networks. Wiley, London (2018)

    Google Scholar 

  7. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honenypot for revealing current IoT threats. J. Inf. Process. 24, 522–533 (2016)

    Google Scholar 

  8. Tran, N.-P. et al.: Towards malware detection in routers with C500-toolkit. In: 5th International Conference on Information and Communication Technology (ICoIC7). IEEE, pp. 1–5 (2017)

  9. Hampton, N., Szewczyk, P.: A survey and method for analysing SOHO router firmware currency. In: 13th Australian Information Security Management Conference, pp. 11-27 (2015)

  10. Alhanahnah, M., Lin, Q., Yan, Q.: Efficient signature generation for classifying cross-architecture IoT malware. In: Conference on Communications and Network Security (CNS). IEEE, pp. 1–9 (2018)

  11. Isawa, R.: Evaluating disassembly-code based similarity between IoT malware samples. In: 2018 13th Asia Joint Conference on Information Security (AsiaJCIS). IEEE, pp. 89–94 (2018)

  12. Su, J., Vasconcellos D., Prasad, S., Sgandurra, D., Feng, Y., Sakurai, K.:Lightweight classification of IoT malware based on image recognition. In: 2018 42nd Annual Computer Software and Applications Conference (COMPSAC). IEEE, pp. 664–669 (2018)

  13. Chang, K.-C., Tso, R., Tsai, M.-C.: IoT sandbox: to analysis IoT malware Zollard. In: Proceedings of the Second International Conference on Internet of things and Cloud Computing. ACM, pp. 4–12 (2017)

  14. McDermott, C.D., Majdani, F., Petrovski, A.V.: Botnet detection in the internet of things using deep learning approaches. In: International Joint Conference on Neural Networks (IJCNN). IEEE, pp. 1–8 (2018)

  15. Nath, H.V., Mehtre, B.M.: Static malware analysis using machine learning methods. In: Security in Computer Networks and Distributed Systems (SNDS). Springer, Berlin, pp. 440–450 (2014)

  16. Kang, B., Yang, J., So, J., Kim, C.Y.: Detecting trigger-based behaviors in botnet malware. In: Proceedings of the 2015 Conference on research in Adaptive and Convergent Systems. ACM, pp. 274–279 (2015)

  17. Kapoor, A., Dhavale, S.: Control flow graph based multiclass malware detection using bi-normal separation. Def. Sci. J. 66(2), 138–145 (2016)

    Article  Google Scholar 

  18. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux Malware. In: Symposium on Security and Privacy. IEEE, pp. 870–884 (2018)

  19. Azmoodeh, A., Dehghantanha, A., Choo, K.K.R.: Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE Trans. Sustain. Comput. 4(1), 88–95 (2018)

    Article  Google Scholar 

  20. Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J Netw. Comput. Appl. 36(2), 646–656 (2013)

    Article  Google Scholar 

  21. Nguyen, H.T., Ngo, Q.D., Le, V.H.: IoT botnet detection approach based on PSI-graph and DGCNN classifier. In: International Conference on Information Communication and Signal Processing (ICICSP). IEEE, pp. 118–122 (2018)

  22. HaddadPajouh, H., Dehghantanha, A., Khayami, R., Choo, K.K.R.: A deep recurrent neural network based approach for internet of things malware threat hunting. Future Gener. Comput. Syst. 85, 88–88 (2018)

    Article  Google Scholar 

  23. Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.S.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security. ACM, pp. 4–11 (2011)

  24. Jung, B., Kim, T., Im, E.G.: Malware classification using byte sequence information. In: Proceedings of the Conference on Research in Adaptive and Convergent Systems. ACM, pp. 143–148 (2018)

  25. Hachem, N., et al., Botnets: lifecycle and taxonomy. In: 2011 Conference on Network and Information Systems Security. IEEE, pp. 1–8 (2011)

  26. Silva, S.S.C., et al.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)

    Article  Google Scholar 

  27. Sudhakar, K., Kumar, S.: Botnet detection techniques and research challenges. In: International Conference on Advances in Energy-Efficient Computing and Communication (2019)

  28. Khoshhalpour, E., Shahriari, H.R.: BotRevealer: behavioral detection of botnets based on botnetlife-cycle. ISC Int. J. Inf. Secur. 10(1), 55–61 (2018)

    Google Scholar 

  29. Prokofiev, A.O. et al.: A method to detect internet of things botnets. In: Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). IEEE, pp. 105–108 (2018)

  30. Narayanan, A. et al.: graph2vec: Learning Distributed Representations of Graphs, preprint (2017). arXiv:1707.05005

  31. Xu, M., et al.: A similarity metric method of obfuscated malware using function-call graph. J. Comput. Virol. Hacking Tech. 9(1), 35–47 (2013)

    Article  MathSciNet  Google Scholar 

  32. Detect-It-Easy. https://github.com/horsicq/Detect-It-Easy. Accessed 12 Feb 2019

  33. The Ultimate Packer for eXecutables. https://github.com/upx. Accessed 12 Feb 2019

  34. Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. William Pollock, Clifton (2011)

    Google Scholar 

  35. Shang, S., Zheng, N., Xu, J., Xu, M., Zhang, H.: Detecting malware variants via function-call graph similarity. In: International Conference on Malicious and Unwanted Software. IEEE, pp. 113–120 (2010)

  36. Hallman, R., Bryan, J., Palavicini, G., Divita, J., Romero-Mariona, J.: IoDDoS-the internet of distributed denial of sevice attacks. In: Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS), pp. 47–58 (2017)

  37. Le, Q., Mikolov, T.: Distributed Representations of Sentences and Documents. In: Proceedings of the 31st International Conference on Machine Learning, pp. 1188–1196 (2014)

  38. DeepBench. https://github.com/baidu-research/DeepBench. Accessed 10 Feb 2019

  39. Kim, Y.: Convolutional neural networks for sentence classification. In: Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, pp. 1746–1751 (2014)

  40. VirusShare. https://virusshare.com. Accessed 13 Jan 2019

  41. Firmware Analysis Toolkit. https://github.com/ReFirmLabs/binwalk. Accessed 13 Jan 2019

  42. OpenWrt. https://openwrt.org/. Accessed 13 Jan 2019

  43. Pytorch. https://github.com/pytorch/pytorch. Accessed 13 Jan 2019

  44. VirusTotal. https://www.virustotal.com. Accessed 14 Jan 2019

Download references

Author information

Authors and Affiliations

  1. Institute of Information Technology, Vietnam Academy of Science and Technology, Hanoi, Vietnam

    Huy-Trung Nguyen

  2. Graduate University of Science and Technology, Vietnam Academy of Science and Technology, Hanoi, Vietnam

    Huy-Trung Nguyen

  3. People’s Security Academy, Hanoi, Vietnam

    Van-Hoang Le

  4. Posts and Telecommunications Institute of Technology, Hanoi, Vietnam

    Quoc-Dung Ngo

Authors
  1. Huy-Trung Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Quoc-Dung Ngo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Van-Hoang Le
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huy-Trung Nguyen.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Nguyen, HT., Ngo, QD. & Le, VH. A novel graph-based approach for IoT botnet detection. Int. J. Inf. Secur. 19, 567–577 (2020). https://doi.org/10.1007/s10207-019-00475-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00475-6

Keywords

Search

Navigation