Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices
A novel online Compromised Device Identification System (CDIS) is presented to identify IoT devices and/or IP addresses that are compromised by a Botnet attack, within a set of sources and destinations that transmit packets. The method uses specific metrics that are selected for this purpose and whi...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2022-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9969594/ |
| _version_ | 1811186295647502336 |
|---|---|
| author | Erol Gelenbe Mert Nakip |
| author_facet | Erol Gelenbe Mert Nakip |
| author_sort | Erol Gelenbe |
| collection | DOAJ |
| description | A novel online Compromised Device Identification System (CDIS) is presented to identify IoT devices and/or IP addresses that are compromised by a Botnet attack, within a set of sources and destinations that transmit packets. The method uses specific metrics that are selected for this purpose and which are easily extracted from network traffic, and trains itself online during normal operation with an Auto-Associative Dense Random Neural Network (AADRNN) using traffic metrics measured as traffic arrives. As it operates, the AADRNN is trained with auto-associative learning only using traffic that it estimates as being benign, without prior collection of different attack data. The experimental evaluation on publicly available Mirai Botnet attack data shows that CDIS achieves high performance with Balanced Accuracy of 97%, despite its low on-line training and execution time. Experimental comparisons show that the AADRNN with sequential (online) auto-associative learning, provides the best performance among six different state-of-the-art machine learning models. Thus CDIS can provide crucial effective information to prevent the spread of Botnet attacks in IoT networks having multiple devices and IP addresses. |
| first_indexed | 2024-04-11T13:44:18Z |
| format | Article |
| id | doaj.art-92e375c0c7da4b65b928a8de391feec4 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-04-11T13:44:18Z |
| publishDate | 2022-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-92e375c0c7da4b65b928a8de391feec42022-12-22T04:21:09ZengIEEEIEEE Access2169-35362022-01-011012653612654910.1109/ACCESS.2022.32267009969594Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT DevicesErol Gelenbe0https://orcid.org/0000-0001-9688-2201Mert Nakip1https://orcid.org/0000-0002-6723-6494Institute of Theoretical and Applied Informatics, Polish Academy of Sciences (PAN), Gliwice, PolandInstitute of Theoretical and Applied Informatics, Polish Academy of Sciences (PAN), Gliwice, PolandA novel online Compromised Device Identification System (CDIS) is presented to identify IoT devices and/or IP addresses that are compromised by a Botnet attack, within a set of sources and destinations that transmit packets. The method uses specific metrics that are selected for this purpose and which are easily extracted from network traffic, and trains itself online during normal operation with an Auto-Associative Dense Random Neural Network (AADRNN) using traffic metrics measured as traffic arrives. As it operates, the AADRNN is trained with auto-associative learning only using traffic that it estimates as being benign, without prior collection of different attack data. The experimental evaluation on publicly available Mirai Botnet attack data shows that CDIS achieves high performance with Balanced Accuracy of 97%, despite its low on-line training and execution time. Experimental comparisons show that the AADRNN with sequential (online) auto-associative learning, provides the best performance among six different state-of-the-art machine learning models. Thus CDIS can provide crucial effective information to prevent the spread of Botnet attacks in IoT networks having multiple devices and IP addresses.https://ieeexplore.ieee.org/document/9969594/Internet of Things (IoT)compromised device identificationrandom neural networkauto-associative deep random neural networkbotnetsMirai |
| spellingShingle | Erol Gelenbe Mert Nakip Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices IEEE Access Internet of Things (IoT) compromised device identification random neural network auto-associative deep random neural network botnets Mirai |
| title | Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices |
| title_full | Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices |
| title_fullStr | Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices |
| title_full_unstemmed | Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices |
| title_short | Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices |
| title_sort | traffic based sequential learning during botnet attacks to identify compromised iot devices |
| topic | Internet of Things (IoT) compromised device identification random neural network auto-associative deep random neural network botnets Mirai |
| url | https://ieeexplore.ieee.org/document/9969594/ |
| work_keys_str_mv | AT erolgelenbe trafficbasedsequentiallearningduringbotnetattackstoidentifycompromisediotdevices AT mertnakip trafficbasedsequentiallearningduringbotnetattackstoidentifycompromisediotdevices |