Evaluating traditional botnet detection applied to contemporary threats from the internet of things
Date of Award
Edith Cowan University
Doctor of Philosophy
School of Science
The Internet of Things (IoT) is a technological concept where many low powered devices are interconnected in order to enhance the services they provide. A botnet is a collection of compromised devices used by a malicious actor to conduct various cyberattacks. Traditional botnets had been typically made-up of ordinary computers. Contemporary botnet threats have been seen to infect IoT devices, leveraging their numerosity, constant operation, and insecurity.
This research examined various traditional botnet detection techniques in the literature and aimed to establish their capabilities for IoT-based botnet detection. The research question created and answered in order to achieve this goal was “Can botnet detection techniques designed to detect traditional botnets detect IoT-based botnets”? In particular, three botnet detection techniques were examined; BotMiner, BotProbe, and BotHunter.
Botnet detection techniques were acquired or re-constructed based on the literature for a set of experiments. Simulations and datasets of both traditional and IoT-based botnets were developed and acquired respectively to test the botnet detection techniques. The simulations included novel approaches towards representing background and botnet traffic in a contained environment, the results of which were further validated by experiments on externally acquired datasets.
The findings of the experiments demonstrated that some of the traditional botnet detection techniques are capable of detecting IoT-based bots, but also appear to exhibit limitations that may impact their usage. BotMiner was able to detect all bots in the experimental environments but rendered false positives when faced with aberrant non-bot activities. BotProbe can only operate on IRC-based botnets and failed to detect bots under certain conditions but did not produce any false positives. BotHunter was unable to detect any bots present in the simulations and external datasets. The weaknesses of the techniques appear to be mostly derived from a particular focus on the IRC protocol and over-reliance on IDS alert signatures.
The results demonstrate that older botnet detection techniques are capable of detecting contemporary threats but may require some further development to produce more accurate and reliable results.
Access to this thesis is embargoed until 10th November 2024.
Woodiss-Field, A. C. (2023). Evaluating traditional botnet detection applied to contemporary threats from the internet of things. Edith Cowan University. https://doi.org/10.25958/5b83-f085