IoTDS: A One-Class Classification Approach to Detect Botnets in Internet of Things Devices
| Autor: | Victor G. Turrisi da Costa, Rodrigo Sanches Miani, Bruno Bogaz Zarpelão, Sylvio Barbon Junior, Vitor Hugo Bezerra |
|---|---|
| Přispěvatelé: | Bezerra, Vh, da Costa, Vgt, Barbon Junior, S, Miani, R, Zarpelao, Bb |
| Jazyk: | angličtina |
| Rok vydání: | 2019 |
| Předmět: |
Energy utilization
Clustering algorithms host-based Computer science Internet of Things Botnet Anomaly detection 02 engineering and technology lcsh:Chemical technology computer.software_genre Biochemistry Article Analytical Chemistry Clustering algorithm 0202 electrical engineering electronic engineering information engineering One-class classification lcsh:TP1-1185 HTTP Personnel training Statistics Support vector machines Isolation (database systems) Electrical and Electronic Engineering botnet Instrumentation Statistic business.industry 020206 networking & telecommunications Atomic and Molecular Physics and Optics anomaly detection Malware 020201 artificial intelligence & image processing business Host (network) computer Computer network |
| Zdroj: | Sensors Volume 19 Issue 14 Sensors (Basel, Switzerland) Sensors, Vol 19, Iss 14, p 3188 (2019) |
| ISSN: | 1424-8220 |
| DOI: | 10.3390/s19143188 |
| Popis: | Internet of Things (IoT) devices have become increasingly widespread. Despite their potential of improving multiple application domains, these devices have poor security, which can be explored by attackers to build large-scale botnets. In this work, we propose a host-based approach to detect botnets in IoT devices, named IoTDS (Internet of Things Detection System). It relies on one-class classifiers, which model only the legitimate device behaviour for further detection of deviations, avoiding the manual labelling process. The proposed solution is underpinned by a novel agent-manager architecture based on HTTPS, which prevents the IoT device from being overloaded by the training activities. To analyse the device&rsquo s behaviour, the approach extracts features from the device&rsquo s CPU utilisation and temperature, memory consumption, and number of running tasks, meaning that it does not make use of network traffic data. To test our approach, we used an experimental IoT setup containing a device compromised by bot malware. Multiple scenarios were made, including three different IoT device profiles and seven botnets. Four one-class algorithms (Elliptic Envelope, Isolation Forest, Local Outlier Factor, and One-class Support Vector Machine) were evaluated. The results show the proposed system has a good predictive performance for different botnets, achieving a mean F1-score of 94% for the best performing algorithm, the Local Outlier Factor. The system also presented a low impact on the device&rsquo s energy consumption, and CPU and memory utilisation. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
| Nepřihlášeným uživatelům se plný text nezobrazuje | K zobrazení výsledku je třeba se přihlásit. |