Detecting and Confronting Flash Attacks from IoT Botnets

Detecting and Confronting Flash Attacks from IoT Botnets

• 1.
  Detecting & Confronting FlashAttacks From IoT Botnets Presented By: Farjad Noor
• 2.
  Internet of Things •The IoT is a network of physical objects or things embedding electronics, software, sensors and network connections that collects and facilitates the exchange of data. The IoT serves as a conceptual background for smart systems and applications such as the smart grid, building and home automation systems such as SCADA, healthcare and medical systems, environmental monitoring systems and industrial systems.
• 3.
  Cont.. • However, inrecent years, IoT devices have become prone to physical, network and application-layer attacks. As a result, the number of IoT-based Distributed Denial of Service (DDoS) attacks has increased rapidly in recent years. A bot is a device that has been compromised by malware and can be controlled remotely by hackers. IoT botnets are collections of compromised devices such as cameras, routers, wearables and other embedded hard- ware technologies infected with malware. Botnet owners/masters are able to control such infected equipment and issue commands to perform malicious activities such as malware attacks, social engineering attacks, distributed denial of service (DDoS) attacks, sending spam email and information theft.
• 4.
  Proposed Architecture of Mirai Malware TheMirai botnet is a self-propagating botnet malware that has the ability to infect tens of thousands of insecure devices and con-trol them to launch a DDoS attack against a chosen victim causing a flash crowd. Mirai has two components: the virus itself and the command-and-control server (CnC). The virus uses the attack vectors, and a scanner continuously monitors the network looking for other devices to compromise. The CnC controls the com-promised devices, sending them instructions to launch attacks against one or more victims. A scanner runs continuously on each bot and uses the telnet protocol. A bot uses two types of vectors called the attack vector and the infection vector. The former is used to execute DDoS attacks on the target website. The infection vec-tor is used to spread malware in the network.
• 5.
  RELATED WORK
• 6.
  Botnet detection techniques Botnetdetection techniques • Dong • Binkley • Gu • Zeidanloo • Yen • Jelasity • Villamarin • Nagaraja • Perdisci • Zhang • Chen • Strayer • Bahsi • Zhao • Al-Jarrah • Meidan • Gopal • Habibi • Hossein Honeypots • Anirudh • Khattab • Provos Cryptomining • Eskandari • Zareh • Carlin • Hong • Saad • Wyke • Dong • Binkley • Gu • Zeidanloo • Yen • Jelasity • Villamarin • Nagaraja • Perdisci • Zhang • Chen • Strayer • Bahsi • Zhao • Al-Jarrah • Meidan • Gopal • Habibi • Hossein
• 8.
  MATERIALS AND METHOD
• 9.
  Materials and method •The architecture of the proposed system shown in Fig. 1 represents the major components of the system, their relationships and the interactions between them. • The system first considers the botnet construction phase, during which the network is scanned for vulnerable IoT devices for loading the malware. The detection of a botnet is implemented through sparse autoencoder that uses data compression to enhance performance. Cryptojacking is detected to avoid illegitimate mining and ensure an optimal resource usage. The final phase controls the propagation of an IoT botnet by deploying a honeypot that simulates the behavior of a vulnerable IoT device. The main goal of the proposed system is to develop an NN model that detects and confronts botnet propagation and cryptojacking by using pattern analysis and outlier detection methods. • The bot master logs into the CnC server and issues control commands to IoT devices. The scanner performs a dictionary attack on the victim IoT devices and tries to login into the telnet or SSH server of the IoT device. If the login attempt is successful, the scanner reports the IP address of the IoT device back to the loader. The loader transforms the IoT device into an IoT bot by downloading the cryptojacking malware to the device and running it. The cross-compiler compiles the botnet source code into executables and binaries for various target platforms of IoT devices. Once the botnet malware compromises the victim’s system, the cryptomining activity is carried over by sending appropriate commands.
• 10.
  Setting up aMirai botnet • Mirai is a variant of IoT botnets malware that has taken advantage of significant gaps in IoT device security. Mirai is based on a client–server model. A virtual private server (VPS) on AWS Lightsail is rented for hosting the Mirai malware. It is a Debian VPS with 512 MB of RAM, 1 virtual CPU and 20 GB SSD. It hosts three servers and utilities. The command-and- control server launches the attack vectors by providing a root login to the bot master. The scanner scans for vulnerable IoT devices on ports 23 (telnet), 22 (SSH) and 80 (HTTP). The loader loads the Mirai variant and the cryptominer onto the IoT device provided by the scanner. Utilities such as a MySQL database, cross-compilers and attack vectors are also hosted on the VPS.
• 11.
  Scanner and loader •The scanner serves the purpose of identifying the vulnerable devices on the network. It performs port scanning on telnet port 23, SSH port 22 and HTTP port 80 looking for vulnerable IoT devices. Afterward, it launches a dictionary attack on the port that was open during port scanning. The scanner, running on port 48101 of the virtual private server, gains access to the IoT devices. Once shell access has been obtained, the IP address of the bot is sent to the loader. An ongoing scanning by the loader ensures that the vulnerable device is reinfected if it has been rebooted. The loader performs two operations: loading both the Mirai and cryptojacking malware onto the vulnerable IoT device and acting as a listening server by reporting all the login attempts and maintaining a whitelist of the identified potential bots on the MySQL server. Continuous scanning of loader ensures that the device gets infected again if it has been rebooted. With the help of a utility called BusyBox, the precompiled Mirai variant and cryptominer are downloaded using wget and TFTP. This IoT bot in turn infects the vulnerable devices in its vicinity by recursively performing the port scanning and dictionary attacks.
• 12.
  Command-and-control server • TheCnC server in Fig. 2 is the powerhouse of the botnet architecture and issues command to IoT botnets to launch large-scale attacks. The bot master logs in as root into the CnC server. The server runs on telnet port 23 on the VPS. The username and password of the bot master are entered at the login prompt to obtain root access. Once the root access has been gained, a command is issued from the C&C Server to start the execution of Cryptominer in the background. As the miner performs mining activities without the knowledge of the user, this process can be considered as Cryptojacking. Various attack vectors are installed into the C&C to launch Distributed Denial of Service (DDoS) attack. Various floods for DDoS attack such as GRE-ETH, UDPPlain, HTTP, UDP, VSE, DNS, SYN, ACK, STOMP and GRE-IP are executed from the “attack.go” file.
• 13.
  FLASH ATTACK PREVENTION
• 14.
  IoT botnet detection •A sparse autoencoder is a neural network-based anomaly detector trained to reconstruct its inputs after some compression. During compression, the sparsity factor ensures that the activation rate stays low so that a neuron in the hidden layer activates only for a small fraction of the training sample. Compression ensures that the network learns meaningful concepts and the relations among its input features. The network packets are collected during two different phases. The first phase occurs before the network has become a botnet. The traffic during this phase is the characteristics of the normal behavior of the network and is used for training the anomaly detector. In the second phase, the data are collected after the network has turned into a botnet. Such traffic exhibits the anomalous behavior of the botnet and is used for detection. The data collected are categorized into three datasets: • 1. Training set (DStrn) used for training the sparse autoencoder to perform anomaly detection, • 2. Optimization set (DSopt) used for optimizing the learning rate and epochs until the mean square error (MSE) stops decreasing • 3. Testing set (DStest) used for calculating the accuracy of the trained anomaly detector.
• 15.
  Cryptojacking detection • Thoughthe botnet has been detected, the cryptomining activity will still be running in the background on the IoT device, consuming all the resources. The proposed cryptomining detection method has several stages, as explained briefly below. Detection based on network traffic: Most of the mining activities are performed using the Stratum mining protocol. Stratum is a line-based protocol using plain TCP sockets, with payload encoded as a JSON-RPC message. There is a high probability that mining activity can be detected if Stratum packets are observed in the network traffic. The request and reply messages are constructed using JSON-RPC. The network traffic is captured and analyzed to obtain the consequent “ids” and their reply messages. The decoded hexadecimal values of the entirety of data in the packets will be displayed according to their timestamps and IPs. The packets are analyzed using a regular expression to detect a pattern. Once a recognized pattern has been detected, the IP and port information are used to obtain the process id of the malware so that a kill signal (SIGKILL) can be sent to it. • Detection based on resource usage: • Another important constraint arises from the anomalies in CPU usage over time. If cryptojacking malware was running, the IoT device would use all of its resources to perform complex computations, which would result in high CPU or GPU and memory usage. The CPU usage over a certain period of time is obtained so that anomalies in it can be detected.
• 16.
  CONCLUSIONS
• 17.
  Conclusions • The exponentialgrowth of IoT devices has made it easier to perform many tasks through automation. However, such devices remain rather insecure, which allows them to become compromised and used without authorization. IoT botnets represent one major threat to Internet security and cloud providers. We have demonstrated our proposed method by setting up bots running variants of Mirai and forming an IoT botnet that generates a very large number of requests, causing a flash crowd. The proposed sparse autoencoder and an outlier detection method provide an effi-cient way of detecting and controlling IoT botnets and cryptojacking by forecasting them in advance. The proposed sparse autoencoder system detects an IoT botnet with accuracy, precision and recall of 99.69%, 100% and 99.39%, respectively, and attains an F1 score of 0.99. The outlier detection method attains a misclassification rate of 1.5%, thereby curtailing most of the illegitimate requests. The performance improvement demonstrated on the Amazon cloud platform is a 19% improvement in processing time, 34% optimization of connection time and 18% reduction in waiting time. This study can be further extended by controlling botnet propagation in a network through a tightly coupled decentralized peer-to-peer detection system that efficiently identifies malicious traffic across federated clouds.