Paper Info
Title
Generic signature development for IoT Botnet families
Abstract
As the source code of various IoT botnet families including Mirai has been made publicly available, the adversaries are drastically introducing new variants of these IoT Botnet families. However, there is a lack of generic mechanism for the detection of these emerging variants. As a consequence, it is infeasible for security solution providers to effectively identify new variants of IoT botnets. In this paper, we have done static code analysis of 17 IoT botnet variants of family Mirai and Qbot in order to dig out the attacker's perspective, generic behavior, employed technologies and implemented techniques. With the help of this analysis, we have identified generic behavioral patterns of IoT botnets and have developed generic signatures for the identification of IoT botnets. These signatures includes identification on the basis of CPU architectures, Bot control commands, Bot scanning commands, obfuscation methods, botnet specific exploits and attacks. A comparative analysis of analyzed IoT-Botnet families has been presented. For the evaluation of identified signatures, we first tested them on unknown Mirai and Qbot variants and gained a detection rate of 100% for both the variants. Secondly, we tested those signatures on other IoT-Botnet families: IRC-Bot, Perl ShellBot, Trick-Bot and gained a detection rate of 98%, 96.79% and 98.2% respectively. Further, we have presented open research challenges in the field of IoT-Botnet detection. This research will enhance IoT botnets understanding and pave the way for generic detection and prevention methods of IoT botnets.
Year
DOI
Venue
2021
10.1016/j.fsidi.2021.301224
Forensic Science International: Digital Investigation
Keywords
DocType
Volume
Mirai,Qbot,Generic IoT botnet detection,IoT botnet
Journal
38
ISSN
Citations 
PageRank 
2666-2817
0
0.34
References 
Authors
0
4
Name
Order
Citations
PageRank
Syed Ghazanfar Abbas101.69
Fabiha Hashmat200.34
Ghalib A. Shah300.34
Kashif Zafar400.68