Towards evaluating the effectiveness of botnet detection techniques
Abstract
Botnets are a group of compromised devices taken over and commanded by a malicious actor known as a botmaster. In recent years botnets have targeted Internet of Things (IoT) devices, significantly increasing their ability to cause disruption due to the scale of the IoT. One such IoT-based botnet was Mirai, which compromised over 140,000 devices in 2016 and was able to conduct attacks at speeds over 1 Tbps. The dynamic structure and protocols used in the IoT may potentially render conventional botnet detection techniques described in the literature incapable of exposing compromised devices. This paper discusses part of a larger project where traditional botnet detection techniques are evaluated to demonstrate their capabilities on IoT-based botnets. This paper describes an experiment involving the reconstruction of a traditional botnet detection technique, BotMiner. The experimental parameters were varied in an attempt to exploit potential weaknesses in BotMiner and to start to understand its potential performance against IoT-based botnets. The results indicated that BotMiner was able to detect IoT-based botnets surprisingly well in various small-scale scenarios, but produced false positives in more realistic, scaled-up scenarios involving IoT devices that generated traffic similar to botnet commands.
Document Type
Conference Proceeding
Date of Publication
1-1-2022
Volume
1557 CCIS
Publication Title
International Conference of Ubiquitous Security
Publisher
Springer
School
School of Science
RAS ID
43681
Copyright
subscription content
First Page
292
Last Page
308
Comments
Woodiss-Field, A., Johnstone, M. N., & Haskell-Dowland, P. (2022). Towards evaluating the effectiveness of botnet detection techniques. In International Conference of Ubiquitous Security (pp. 292-308). Springer, Singapore. https://doi.org/10.1007/978-981-19-0468-4_22