2. Internet of Things
• The IoT is a network of physical objects or things embedding electronics,
software, sensors and network connections that collects and facilitates the
exchange of data. The IoT serves as a conceptual background for smart
systems and applications such as the smart grid, building and home
automation systems such as SCADA, healthcare and medical systems,
environmental monitoring systems and industrial systems.
3. Cont..
• However, in recent years, IoT devices have become prone to physical,
network and application-layer attacks. As a result, the number of IoT-based
Distributed Denial of Service (DDoS) attacks has increased rapidly in recent
years. A bot is a device that has been compromised by malware and can be
controlled remotely by hackers. IoT botnets are collections of compromised
devices such as cameras, routers, wearables and other embedded hard-
ware technologies infected with malware. Botnet owners/masters are able to
control such infected equipment and issue commands to perform malicious
activities such as malware attacks, social engineering attacks, distributed
denial of service (DDoS) attacks, sending spam email and information theft.
4. Proposed
Architecture of
Mirai Malware
The Mirai botnet is a self-propagating
botnet malware that has the ability to
infect tens of thousands of insecure
devices and con-trol them to launch a
DDoS attack against a chosen victim
causing a flash crowd. Mirai has two
components: the virus itself and the
command-and-control server (CnC).
The virus uses the attack vectors, and a
scanner continuously monitors the
network looking for other devices to
compromise. The CnC controls the
com-promised devices, sending them
instructions to launch attacks against
one or more victims.
A scanner runs continuously on each
bot and uses the telnet protocol. A bot
uses two types of vectors called the
attack vector and the infection vector.
The former is used to execute DDoS
attacks on the target website. The
infection vec-tor is used to spread
malware in the network.
9. Materials and method
• The architecture of the proposed system shown in Fig. 1 represents the major components of the
system, their relationships and the interactions between them.
• The system first considers the botnet construction phase, during which the network is scanned for
vulnerable IoT devices for loading the malware. The detection of a botnet is implemented through
sparse autoencoder that uses data compression to enhance performance. Cryptojacking is
detected to avoid illegitimate mining and ensure an optimal resource usage. The final phase
controls the propagation of an IoT botnet by deploying a honeypot that simulates the behavior of a
vulnerable IoT device. The main goal of the proposed system is to develop an NN model that
detects and confronts botnet propagation and cryptojacking by using pattern analysis and outlier
detection methods.
• The bot master logs into the CnC server and issues control commands to IoT devices. The
scanner performs a dictionary attack on the victim IoT devices and tries to login into the telnet or
SSH server of the IoT device. If the login attempt is successful, the scanner reports the IP address
of the IoT device back to the loader. The loader transforms the IoT device into an IoT bot by
downloading the cryptojacking malware to the device and running it. The cross-compiler compiles
the botnet source code into executables and binaries for various target platforms of IoT devices.
Once the botnet malware compromises the victim’s system, the cryptomining activity is carried
over by sending appropriate commands.
10. Setting up a Mirai botnet
• Mirai is a variant of IoT botnets malware that has taken advantage of
significant gaps in IoT device security. Mirai is based on a client–server
model. A virtual private server (VPS) on AWS Lightsail is rented for hosting
the Mirai malware. It is a Debian VPS with 512 MB of RAM, 1 virtual CPU
and 20 GB SSD. It hosts three servers and utilities. The command-and-
control server launches the attack vectors by providing a root login to the bot
master. The scanner scans for vulnerable IoT devices on ports 23 (telnet),
22 (SSH) and 80 (HTTP). The loader loads the Mirai variant and the
cryptominer onto the IoT device provided by the scanner. Utilities such as a
MySQL database, cross-compilers and attack vectors are also hosted on the
VPS.
11. Scanner and loader
• The scanner serves the purpose of identifying the
vulnerable devices on the network. It performs port
scanning on telnet port 23, SSH port 22 and HTTP port
80 looking for vulnerable IoT devices. Afterward, it
launches a dictionary attack on the port that was open
during port scanning. The scanner, running on port
48101 of the virtual private server, gains access to the
IoT devices. Once shell access has been obtained, the
IP address of the bot is sent to the loader. An ongoing
scanning by the loader ensures that the vulnerable
device is reinfected if it has been rebooted. The loader
performs two operations: loading both the Mirai and
cryptojacking malware onto the vulnerable IoT device
and acting as a listening server by reporting all the
login attempts and maintaining a whitelist of the
identified potential bots on the MySQL server.
Continuous scanning of loader ensures that the device
gets infected again if it has been rebooted. With the
help of a utility called BusyBox, the precompiled Mirai
variant and cryptominer are downloaded using wget
and TFTP. This IoT bot in turn infects the vulnerable
devices in its vicinity by recursively performing the port
scanning and dictionary attacks.
12. Command-and-control server
• The CnC server in Fig. 2 is the powerhouse of the botnet architecture and
issues command to IoT botnets to launch large-scale attacks. The bot
master logs in as root into the CnC server. The server runs on telnet port 23
on the VPS. The username and password of the bot master are entered at
the login prompt to obtain root access. Once the root access has been
gained, a command is issued from the C&C Server to start the execution of
Cryptominer in the background. As the miner performs mining activities
without the knowledge of the user, this process can be considered as
Cryptojacking. Various attack vectors are installed into the C&C to launch
Distributed Denial of Service (DDoS) attack. Various floods for DDoS attack
such as GRE-ETH, UDPPlain, HTTP, UDP, VSE, DNS, SYN, ACK, STOMP
and GRE-IP are executed from the “attack.go” file.
14. IoT botnet detection
• A sparse autoencoder is a neural network-based anomaly detector trained to reconstruct its inputs
after some compression. During compression, the sparsity factor ensures that the activation rate
stays low so that a neuron in the hidden layer activates only for a small fraction of the training
sample. Compression ensures that the network learns meaningful concepts and the relations
among its input features. The network packets are collected during two different phases. The first
phase occurs before the network has become a botnet. The traffic during this phase is the
characteristics of the normal behavior of the network and is used for training the anomaly detector.
In the second phase, the data are collected after the network has turned into a botnet. Such traffic
exhibits the anomalous behavior of the botnet and is used for detection. The data collected are
categorized into three datasets:
• 1. Training set (DStrn) used for training the sparse autoencoder to perform anomaly detection,
• 2. Optimization set (DSopt) used for optimizing the learning rate and epochs until the mean square
error (MSE) stops decreasing
• 3. Testing set (DStest) used for calculating the accuracy of the trained anomaly detector.
15. Cryptojacking detection
• Though the botnet has been detected, the cryptomining activity will still be running in the
background on the IoT device, consuming all the resources. The proposed cryptomining detection
method has several stages, as explained briefly below. Detection based on network traffic: Most of
the mining activities are performed using the Stratum mining protocol. Stratum is a line-based
protocol using plain TCP sockets, with payload encoded as a JSON-RPC message. There is a
high probability that mining activity can be detected if Stratum packets are observed in the network
traffic. The request and reply messages are constructed using JSON-RPC. The network traffic is
captured and analyzed to obtain the consequent “ids” and their reply messages. The decoded
hexadecimal values of the entirety of data in the packets will be displayed according to their
timestamps and IPs. The packets are analyzed using a regular expression to detect a pattern.
Once a recognized pattern has been detected, the IP and port information are used to obtain the
process id of the malware so that a kill signal (SIGKILL) can be sent to it.
• Detection based on resource usage:
• Another important constraint arises from the anomalies in CPU usage over time. If cryptojacking
malware was running, the IoT device would use all of its resources to perform complex
computations, which would result in high CPU or GPU and memory usage. The CPU usage over a
certain period of time is obtained so that anomalies in it can be detected.
17. Conclusions
• The exponential growth of IoT devices has made it easier to perform many tasks
through automation. However, such devices remain rather insecure, which allows them
to become compromised and used without authorization. IoT botnets represent one
major threat to Internet security and cloud providers. We have demonstrated our
proposed method by setting up bots running variants of Mirai and forming an IoT botnet
that generates a very large number of requests, causing a flash crowd. The proposed
sparse autoencoder and an outlier detection method provide an effi-cient way of
detecting and controlling IoT botnets and cryptojacking by forecasting them in advance.
The proposed sparse autoencoder system detects an IoT botnet with accuracy,
precision and recall of 99.69%, 100% and 99.39%, respectively, and attains an F1 score
of 0.99. The outlier detection method attains a misclassification rate of 1.5%, thereby
curtailing most of the illegitimate requests. The performance improvement demonstrated
on the Amazon cloud platform is a 19% improvement in processing time, 34%
optimization of connection time and 18% reduction in waiting time. This study can be
further extended by controlling botnet propagation in a network through a tightly coupled
decentralized peer-to-peer detection system that efficiently identifies malicious traffic
across federated clouds.
Editor's Notes
SCADA is an acronym for supervisory control and data acquisition, a computer system for gathering and analyzing real time data. SCADA systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation.