1 Introduction

Since IoT devices in the Massive IoT segment are low-cost devices, they can often perform a single task at a time and their computational power is not sufficient to execute complex attack detection algorithms. Therefore, Massive IoT is vulnerable to network attacks. According to a study by HP [1], \(70\%\) of IoT devices are vulnerable to attacks, while one of the most common attacks is the Denial of Service (DoS) attack which comprises \(20\%\) of all attacks against the IoT [6].

Network attacks can include worms based on propagating software [37, 38], DoS attacks where an attacker or an infected device aims to prevent the normal functioning of a device (or a system) by forwarding superfluous requests [10, 11], and Botnets which are the subject of this work. Traffic which may cause attacks can be detected as a form of anomaly [22, 26] which is concealed as part of normal innocuous traffic.

When a network attack occurs following the same techniques as DoS attacks, but affecting more devices it is called a Distributed DoS (DDoS) attack [14]. One of the most popular kinds of DDoS attacks is the Botnet attack which mainly targets IoT devices. In a Botnet attack, a victim device turns into a bot via malware and generates traffic that floods other servers and devices with meaningless requests that lead to threats [21].

Detecting Botnet attacks is an important task considering the high threat level for a massive number of devices. To this end, a recent trend of research has focused on developing Machine Learning (ML) based techniques. Most of earlier work [5, 13, 24, 28,29,30, 34,35,36, 39, 40, 42] in this trend develops techniques for classification by supervised learning; however, these techniques require large numbers of samples for both normal traffic and malicious traffic; collecting data for realistic malicious traffic is no easy task. Only a few works evaluated the lack of attack data during the training of ML models (via auto-associative learning) for Botnet attacks [33, 43] and for DoS attacks [15].

In 2016, a massive DDoS, Botnet, attack affected many web sites including Netflix, Reddit, Spotify, and Twitter through the Dyn service for domain name system (DNS) management [7, 23] as well as numerous IP addresses creating access through the servers of some cyber-security companies [41]. It is known that the botnets in this DDoS attack were infected by the Mirai malware, in which the infected devices generate traffic that overwhelms servers and other devices with nonsense requests, sometimes leading to threats [21]. Reference [4] has analyzed the characteristics of this class of attacks, while a recent work [27] has analyzed the characteristics of IoT traffic generated by Botnet. In addition, Reference [3] used blockchains to protect IoT networks against Mirai Botnet attacks.

1.1 Attack Detection with the Random Neural Network (RNN)

The RNN [17] with gradient descent learning [18] has been used to detect Denial of Service attacks in early work [34] and was recently used also to detect SYN attacks [15].

The Dense RNN was introduced in [16, 20] to address various pattern recognition problems, including character and object recognition. It has been previously used with auto-associative offline training to detect SYN attacks [8], and was used more recently also to detect Mirai Botnet attacks [33].

In this paper, we use a Dense Random Neural Network (Dense RNN) [16, 20] based Mirai Botnet attack detection method, but extend it specifically for incremental online learning. Similar to [8], this method learns the statistics of the IoT traffic under normal circumstances while the network is online (via auto-associative and incremental online learning); that is, it does not require the offline collection of any IoT traffic data (either benign or attack) for the learning procedure.

In the rest of this paper, Sect. 2 presents the methodology of the proposed method for Mirai Botnet attack detection while Sect. 4 presents the performance evaluation of this method on a publicly available dataset. Lastly, Sect. 6 summarizes the paper.

2 Auto-Associative Dense RNN Based Botnet Attack Detection with Online Incremental Training

We now present the methodology of our Botnet Attack Detector (AD) based on Dense Random Neural Networks (Dense RNN) which is trained entirely online with only benign IoT traffic. Figure 1 displays the architectural design of this detector, which consists of three main stages:

  1. 1.

    Extracting metrics from IoT traffic with the “Metric Extractor” module,

  2. 2.

    Detection of potential attack packets with “Auto-Associative Dense RNN” and “Attack Decision Maker” modules and

  3. 3.

    Incremental online training of AA-Dense RNN with “Incremental Semi-Supervised Learning Algorithm”. In the rest of this section, we shall detail the methodologies of these stages.

Fig. 1.
figure 1

The architectural design of AA-Dense RNN based Botnet attack detector with incremental online training

3 Extracting Metrics from IoT Traffic

Considering that the Mirai botnet attacks aim to spread through the devices in the IoT network, a recent work [33] has proposed three metrics calculated using only the transmission times and lengths of packets. Since the correlation analysis presented in [33] has shown that these three metrics successfully captures the traces of Mirai botnet attack packets, this paper also uses these metrics, which are defined as follows:

  • Metric 1: The total size of the last N transmitted packets,

  • Metric 2: The average inter-transmission times of the last N packets,

  • Metric 3: Total number of packets that are transmitted in last T seconds.

Furthermore, it has also been shown that an attack detector achieves its best performance using these metrics with importance coefficients. However, in order to design an attack detector with purely online training on only normal unlabeled traffic, we will treat these metrics equally, i.e. take each of their importance coefficients as 1/3.

The Dense-RNN model, which allows direct connectivity between neuron cells (addition to the usual axon-dendrite interactions), has been proposed in [16, 20]. It is a specific form of the Random Neural Network (RNN) [12, 17] that uses clusters of RNN cells for deep learning.

Earlier research have shown the success of the conventional RNN model [19] in IoT systems for applications on the video quality evaluation [32], network design [9], and home climate control [25]. In the Dense RNN model, firing at any cell may trigger a direct firing at a neighboring cell as well as excite or inhibit any other cell in the neural network through corresponding weights. In addition, probability p that any other cell in the network fires when a given cell fires, represents the direct interaction between neuron cells.

4 Experimental Results

In order to evaluate the performance of our AA-Dense RNN based Botnet attack detector with incremental online learning, we use publicly-available Kitsune dataset [2, 31] which contains 764, 137 normal and malicious packets for Mirai Botnet attack. During the performance evaluation, we compare the performance of AA-Dense RNN under online training with that under offline training.

For AA-Dense RNN, we first set the number of neurons in each layer l as \(n_l = I = 3\), and \(p = 0.05\), \(r=0.001\) and \(\lambda ^+ = \lambda ^- = 0.1\). We also set \(N = 500\) packets and \(T = 100\) secs for the extraction of metrics, and we set \(\varTheta = 0.02\) for Attack Decision Maker module.

First, we evaluate the performance of the proposed AD method for varying number of training packets K between 100 and 1000. In this way, we shall also select the best value of K and set it for the rest of this section.

Fig. 2.
figure 2

Average accuracy of AA-Dense RNN attack detector with incremental online learning for different values of \(K \in \{100, 250, 500, 750, 1000\}\)

Figure 2 presents the average classification accuracy (over all packets) for each value of \(K \in \{100, 250, 500, 750, 1000\}\). The results in Fig. 2 show that AA-Dense RNN with incremental online learning achieves its best performance for \(K=750\) packets, where the average accuracy equals 99.54. In addition, one may see that AA-Dense RNN achieves acceptable accuracy for all K.

5 Computation Time

For the proposed method, Table 1 presents the execution time (i.e. time elapsed) for making a decision on a single packet as well as the initialization and incremental update stages of the training algorithm for \(K=750\). Note that we measured the computation times on a PC with 32 GB ram and AMD Ryzen 7 3.70 GHz processor.

The results in this table first show that the execution time of AA-Dense RNN is very low and acceptable for real-time attack detection. Also, we see that the initialization and incremental online learning of our method take 15 ms and 4.3 ms, respectively. As observed in the evaluated dataset, 4.3 ms is slightly less than the minimum measured time for transmission of 22 packets; that is, the parameters of AA-Dense RNN will be updated until the transmission of the 22nd packet after the incremental online learning phase has begun.

Table 1. Training and online run-times of the proposed attack detection method with incremental online learning

6 Conclusions

Devices in the Massive IoT segment are vulnerable targets for Mirai Botnet attacks as they are often deployed quickly with low-security measures. Therefore, in this paper, we developed a Mirai Botnet attack detection method based on Auto-Associative Dense Random Neural Network (AA-Dense RNN) with an incremental online learning algorithm. One of the main advantages of this method is that it learns the statistics of the normal (benign) IoT traffic when the IoT network is online, so it does not require collecting any (benign or attack) traffic beforehand.

We have evaluated the performance of the proposed method on a publicly available dataset containing 764, 137 packet transmissions and compared the performance of the proposed online AA-Dense RNN based attack detection method with that of offline trained AA-Dense RNN.

Our experimental results show that the proposed method achieves 99.54% accuracy with 99.79% TPR and 98.19% TNR while both training time (initialization and update) and execution time are very small and highly acceptable for real-time lightweight Mirai Botnet attack detection.

Our future work will extend our design to detect the various type of attacks via a single detector with incremental online training on only benign IoT traffic.