Skip to main content

LiMNet: Early-Stage Detection of IoT Botnets with Lightweight Memory Networks

  • 2052 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

IoT devices have been growing exponentially in the last few years. This growth makes them an attractive target for attackers due to their low computational power and limited security features. Attackers use IoT botnets as an instrument to perform DDoS attacks which caused major disruptions of Internet services in the last decade. While many works have tackled the task of detecting botnet attacks, only a few have considered early-stage detection of these botnets during their propagation phase.

While previous approaches analyze each network packet individually to predict its maliciousness, we propose a novel deep learning model called LiMNet (Lightweight Memory Network), which uses an internal memory component to capture the behaviour of each IoT device over time. This memory incorporates both packet features and behaviour of the peer devices. With this information, LiMNet achieves almost maximum AUROC classification scores, between 98.8% and 99.7%, with a 14% improvement over state of the art. LiMNet is also lightweight, performing inference almost 8 times faster than previous approaches.

Keywords

  • IoT
  • Botnet detection
  • Memory networks
  • Recurrent networks

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813162. The content of this paper reflects the views only of their author(s). The European Commission/ Research Executive Agency are not responsible for any use that may be made of the information it contains.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_29
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    https://www.juniperresearch.com/press/iot-connections-to-reach-83-bn-by-2024.

  2. 2.

    https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot.

  3. 3.

    https://www.wireshark.org/docs/man-pages/tshark.html.

  4. 4.

    https://github.com/lodo1995/LiMNet.

  5. 5.

    More precisely, a single core of an Intel Cascade Lake-SP CPU with 2.2 GHz base clock, 3.2 GHz max. turbo clock, 32 KB L1d cache and 1 MB L2 private cache.

References

  1. Alzahrani, H., Abulkhair, M., Alkayal, E.: A multi-class neural network model for rapid detection of IoT botnet attacks. Int. J. Adv. Comp. Sci. Appl. 11(7), 688–696 (2020)

    Google Scholar 

  2. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th \(\{\)USENIX\(\}\) security symposium (\(\{\)USENIX\(\}\) Security 17), pp. 1093–1110 (2017)

    Google Scholar 

  3. Bahşi, H., Nõmm, S., La Torre, F.B.: Dimensionality reduction for machine learning based iot botnet detection. In: 2018 15th International Conference on Control, Automation, Robotics and Vision (ICARCV), pp. 1857–1862. IEEE (2018)

    Google Scholar 

  4. Chung, J., Gulcehre, C., Cho, K., Bengio, Y.: Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014)

  5. Coskun, B., et al.: Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 131–140. Association for Computing Machinery, New York (2010)

    Google Scholar 

  6. Ebesu, T., Shen, B., Fang, Y.: Collaborative memory network for recommendation systems. In: The 41st international ACM SIGIR Conference on Research & Development in Information Retrieval, pp. 515–524 (2018)

    Google Scholar 

  7. Guerra-Manzanares, A., Medina-Galindo, J., Bahsi, H., Nomm, S.: Medbiot: generation of an IoT botnet dataset in a medium-sized IoT network. In: ICISSP (2020)

    Google Scholar 

  8. Hamilton, W.L., Ying, R., Leskovec, J.: Representation learning on graphs: Methods and applications. arXiv preprint arXiv:1709.05584 (2017)

  9. Hwang, R.H., Peng, M.C., Nguyen, V.L., Chang, Y.L.: An lstm-based deep learning approach for classifying malicious traffic at the packet level. Appl. Sci. 9(16) (2019). https://doi.org/10.3390/app9163414

  10. Jaeger, H.: Tutorial on training recurrent neural networks, covering BPPT, RTRL, EKF and the echo state network approach, vol. 5. GMD-Forschungszentrum Informationstechnik Bonn (2002)

    Google Scholar 

  11. Kefato, Z.T., Girdzijauskas, S., Sheikh, N., Montresor, A.: Dynamic embeddings for interaction prediction. In: Proceedings of The Web Conference 2021 (2021)

    Google Scholar 

  12. Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: Ddos in the IoT: mirai and other botnets. Computer 50(7), 80–84 (2017)

    CrossRef  Google Scholar 

  13. Kumar, S., Zhang, X., Leskovec, J.: Predicting dynamic embedding trajectory in temporal interaction networks. In: Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM (2019)

    Google Scholar 

  14. Kusupati, A., Singh, M., Bhatia, K., Kumar, A., Jain, P., Varma, M.: Fastgrnn: a fast, accurate, stable and tiny kilobyte sized gated recurrent neural network, NIPS 2018, pp. 9031–9042. Curran Associates Inc., Red Hook, NY, USA (2018)

    Google Scholar 

  15. Li, J., et al.: Distributed threat intelligence sharing system: a new sight of p2p botnet detection. In: 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS), pp. 1–6. Riyadh, Saudi Arabia (2019)

    Google Scholar 

  16. Ma, Y., Guo, Z., Ren, Z., Tang, J., Yin, D.: Streaming graph neural networks. In: Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 719–728 (2020)

    Google Scholar 

  17. McDermott, C.D., Majdani, F., Petrovski, A.V.: Botnet detection in the internet of things using deep learning approaches. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2018). https://doi.org/10.1109/IJCNN.2018.8489489

  18. Meidan, Y., et al.: N-baiot-network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput. 17(3), 12–22 (2018). https://doi.org/10.1109/MPRV.2018.03367731

    CrossRef  Google Scholar 

  19. Meidan, Y., et al.: N-baiot-network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput. 17(3), 12–22 (2018)

    CrossRef  Google Scholar 

  20. Mikolov, T., Karafiát, M., Burget, L., Černockỳ, J., Khudanpur, S.: Recurrent neural network based language model. In: Eleventh Annual Conference of the International Speech Communication Association (2010)

    Google Scholar 

  21. Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, A.: Kitsune: an ensemble of autoencoders for online network intrusion detection. Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  22. Nguyen, H., Ngo, Q., Le, V.: IoT botnet detection approach based on psi graph and dgcnn classifier. In: 2018 IEEE International Conference on Information Communication and Signal Processing (ICICSP), pp. 118–122 (2018). https://doi.org/10.1109/ICICSP.2018.8549713

  23. Sagirlar, G., Carminati, B., Ferrari, E.: Autobotcatcher: blockchain-based p2p botnet detection for the internet of things. In: 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), pp. 1–8. IEEE (2018)

    Google Scholar 

  24. Tallec, C., Ollivier, Y.: Unbiasing truncated backpropagation through time. CoRR abs/1705.08209 (2017). http://arxiv.org/abs/1705.08209

  25. Weston, J., Chopra, S., Bordes, A.: Memory networks. arXiv preprint arXiv:1410.3916 (2014)

  26. Yang, Z., et al.: P2p botnet detection based on nodes correlation by the mahalanobis distance. Information 10(5), 160 (2019)

    CrossRef  Google Scholar 

  27. Zhuang, D., et al.: Peerhunter: detecting peer-to-peer botnets through community behavior analysis. In: 2017 IEEE Conference on Dependable and Secure Computing, pp. 493–500. Taipei (2017)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank Stefanos Antaris (affiliated with KTH and Hive Streaming AB) for the insightful discussions and literature recommendations that helped shape the direction of this work.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Lodovico Giaretta .

Editor information

Editors and Affiliations

Appendices

A Kitsune vs MedBIoT: Challenges for ML Models

To effectively and fairly compare early-stage botnet detection models, large, realistic and challenging datasets are required. We therefore analyze Kitsune and MedBIoT, to understand why the former is more challenging than the latter.

In [1], the authors hypothesize that their balancing of the different malware classes in MedBIoT may cause their very high scores. However, in our work, we do not perform any balancing and still achieve near-perfect scores for both our approach and the baseline from [1], thus disproving this hypothesis.

Table 6. Distribution of protocols in the datasets, as identified by tshark. When the application-level protocol is not identified, the transport-level protocol is reported.

The breakdown of the protocol distributions of the datasets, reported in Table 6, shows that MedBIoT is dominated by a single protocol and that within most protocols legitimate packets are one order of magnitude more (or less) than malicious ones, with the overall dataset being skewed towards legitimate traffic. A model can easily achieve high scores by focusing on the dominating protocol, and by providing simple majority answers for the others. Kitsune, on the other hand, is fairly well-split across three dominant protocols and fairly balanced between legitimate and malicious traffic, both overall and within each protocol. Any model therefore needs to capture multiple legitimate behaviours and learn to discern malicious traffic within each protocol based on additional signals. It is thus unsurprising that Kitsune proved more challenging in our experiments, as it better tests the modelling capabilities of botnet detection approaches.

B Effect of Truncated Backpropagation Through Time

Truncated Backpropagation Through Time (p-BPTT) [10] has gained traction in the RNN field as a simple technique to quickly and efficiently train model on very long sequences. However, this technique is known to reduce the ability of a model to capture long-range relations, as inputs that are very far in the original sequence never co-appear in the same subsequence after splitting [24].

To ensure that this issue is not affecting LiMNet, we train it with different combinations of length and stride for the subsequences. For a fair comparison, it is important to consider the length/stride ratio. A higher ratio indicates more overlaps between the subsequences and thus leads to more training data points per epoch. The results are reported in Table 7.

Table 7. AUROC scores of LiMNet with GRU units and layer size 32 on the Kitsune dataset, with varying subsequence length and stride for p-BPTT.

Keeping the ratio fixed at 5, Table 7 shows that longer subsequences lead to worse results, not better. If there are any gains from modelling long-term relations, they are offset by the larger strides, which cause most packets to never appear close to the end of any subsequence, where the backpropagation gradients are stronger. This issue can be mitigated by reducing the stride and thus increasing the ratio. This bring performance up, but at much higher computational costs. Furthermore, even with high ratios, increasing sequence length over 10k packets does not seem to provide any benefit, indicating that, at this length p-BPTT does not negatively impact LiMNet performance.

C Cross-dataset Model Generalization

As an additional experiment, in Table 8 we consider the performance of LiMNet when trained on one dataset and tested on another. The results show once more how different the scenarios presented by Kitsune and MedBIoT are.

As the datasets present different protocol mixes (as shown in Appendix A), the one-hot protocol encoding of the testing dataset needs to be modified to match that of the training dataset, which is the one the model expects. For protocols present in both datasets, this “alignment” amounts to a simple reshuffle of the features. For application-level protocols that are present in the testing dataset but not in the training one, we consider two options: 1) replacing them with their transport-level protocol, as TCP and UDP are present in both datasets, or 2) setting all protocol features to zero, effectively marking the packet as having no protocol. Our results show no substantial differences between these two options.

A model trained on Kitsune has no knowledge of the Torii and Bashlite malware present in MedBIoT, while one trained on the latter is aware of the Mirai malware in Kitsune. This explains why training on MedBIoT and testing on Kitsune provide better results than the opposite in the malicious packet detection task. However, the results on this task are still extremely low, probably because the model also faces different patterns of legitimate traffic, which it cannot recognize. The device-level tasks, present much better (although still low) results. This may be due to the memory component of LiMNet: while a single packet may be hard to judge in these conditions, the model still memorizes enough knowledge over time to correctly flag at least part of the devices.

Table 8. AUROC scores of LiMNet with GRU units and layer size 32, trained and tested on different combinations of datasets

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Giaretta, L., Lekssays, A., Carminati, B., Ferrari, E., Girdzijauskas, Š. (2021). LiMNet: Early-Stage Detection of IoT Botnets with Lightweight Memory Networks. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)