AI-Driven Fast and Early Detection of IoT Botnet Threats: A Comprehensive Network Traffic Analysis Approach
Abdelaziz Amara korba, Aleddine Diaf, Yacine Ghamri-Doudane
TL;DR
The paper addresses the problem of early IoT botnet detection, focusing on stealth command-and-control communications that precede attacks. It proposes a comprehensive methodology combining packet-based and flow-based network traffic representations with five semi-supervised anomaly detectors to model normal traffic using minimal malicious data. On the IoT-23 dataset, packet-based detection achieves 100% recall with a low false-positive rate and sub-second delays, while flow-based detection reaches about 94% recall with similar low FPR, aided by a feature set dominated by Time-Based and Protocol-Based attributes and a 35% feature reduction. The work demonstrates the feasibility of proactive botnet prevention through rapid detection of reconnaissance and C2 traffic, offering practical implications for reducing botnet propagation and impact in IoT ecosystems.
Abstract
In the rapidly evolving landscape of cyber threats targeting the Internet of Things (IoT) ecosystem, and in light of the surge in botnet-driven Distributed Denial of Service (DDoS) and brute force attacks, this study focuses on the early detection of IoT bots. It specifically addresses the detection of stealth bot communication that precedes and orchestrates attacks. This study proposes a comprehensive methodology for analyzing IoT network traffic, including considerations for both unidirectional and bidirectional flow, as well as packet formats. It explores a wide spectrum of network features critical for representing network traffic and characterizing benign IoT traffic patterns effectively. Moreover, it delves into the modeling of traffic using various semi-supervised learning techniques. Through extensive experimentation with the IoT-23 dataset - a comprehensive collection featuring diverse botnet types and traffic scenarios - we have demonstrated the feasibility of detecting botnet traffic corresponding to different operations and types of bots, specifically focusing on stealth command and control (C2) communications. The results obtained have demonstrated the feasibility of identifying C2 communication with a 100% success rate through packet-based methods and 94% via flow based approaches, with a false positive rate of 1.53%.