N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders (1805.03409v1)

Abstract: The proliferation of IoT devices which can be more easily compromised than desktop computers has led to an increase in the occurrence of IoT based botnet attacks. In order to mitigate this new threat there is a need to develop new methods for detecting attacks launched from compromised IoT devices and differentiate between hour and millisecond long IoTbased attacks. In this paper we propose and empirically evaluate a novel network based anomaly detection method which extracts behavior snapshots of the network and uses deep autoencoders to detect anomalous network traffic emanating from compromised IoT devices. To evaluate our method, we infected nine commercial IoT devices in our lab with two of the most widely known IoT based botnets, Mirai and BASHLITE. Our evaluation results demonstrated our proposed method's ability to accurately and instantly detect the attacks as they were being launched from the compromised IoT devices which were part of a botnet.

• The paper demonstrates the innovative use of deep autoencoders to accurately identify anomalous network traffic from compromised IoT devices.
• It leverages statistical features of benign traffic to train models that achieve a 100% true positive rate and an average detection time of 174 ms.
• The method outperforms traditional techniques by maintaining a low false positive rate, promising scalable solutions for IoT network security.

Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders

The proliferation of Internet of Things (IoT) devices has exponentially increased the susceptibility of networks to botnet attacks. In the paper "N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders," the authors present a significant advancement by employing deep autoencoders to detect anomalous network traffic associated with compromised IoT devices. The empirical evaluation demonstrates the proposed method's efficacy in detecting IoT-based botnet attacks in real-time.

Method Overview

The proposed detection method leverages deep learning, specifically autoencoders, to perform network-based anomaly detection. By monitoring network behavior snapshots and identifying unusual traffic patterns, the method offers robust detection capabilities. The autoencoders are trained on statistical features derived from benign traffic, allowing them to learn the normal behavior of multiple IoT devices. This training enables the autoencoders to recognize and flag deviations indicative of malicious activity.

Evaluation

The empirical evaluation is grounded in a comprehensive laboratory setup where nine commercial IoT devices were infected with two prevalent IoT-based botnets: Mirai and BASHLITE. The deployment captures realistic network data and attack scenarios to assess the detection method's performance.

Key findings from the experiments include:

1. True Positive Rate (TPR): The method achieved a TPR of 100%, successfully identifying all botnet attacks across the tested devices. This surpasses other methods like Local Outlier Factor (LOF) and One-Class SVM, which demonstrated similar high TPRs but with variability, particularly with Isolation Forest showing poorer performance.
2. False Positive Rate (FPR): The proposed method maintained a low and consistent FPR of 0.007 ± 0.01, outperforming other models such as LOF (0.086 ± 0.081), One-Class SVM (0.026 ± 0.029), and Isolation Forest (0.027 ± 0.041).
3. Detection Timeliness: The average detection time was 174 ± 212 milliseconds, markedly quicker than other comparison methods. This swift detection facilitates immediate defensive responses, minimizing potential damage from ongoing attacks.

Implications and Future Directions

The paper demonstrates the practical and theoretical implications of using deep autoencoders for network-based anomaly detection in IoT environments. The method's ability to detect sophisticated botnet attacks with minimal false positives and immediate alerting signifies its applicability in enhancing network security for large enterprises.

Future research could explore several directions:

1. Predictability Metrics: Quantifying an IoT device's traffic behavior predictability could provide insights into optimizing detection models. This involves formalizing the relationship between device capabilities, network communication patterns, and detection accuracy.
2. Transfer Learning: Implementing transfer learning techniques could enhance the method's scalability, allowing models trained on particular devices to be applied across different networks or identical device models without retraining.
3. Hybrid Models: Integrating other deep learning models with autoencoders could further improve anomaly detection accuracy and robustness.

Conclusion

The methodology presented in "N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders" provides a highly effective and efficient solution for defending against increasing botnet threats in IoT environments. The deployment of deep autoencoders to capture and identify anomalous network behavior marks a considerable contribution to the domain of IoT security. The rigorous empirical evaluation and strong numerical results validate the method's potential for real-world applications in ensuring robust network protection against IoT-based botnet attacks.