| With the development of Internet of Things(IoT)technology,IoT devices are more and more widely used in production and life.Most IoT devices are limited by hardware resources and have to sacrifice some security performance,which usually cause weak passwords,communication without encryption,weak authentication mechanism and other weak security configurations.These fragile security allows attackers to discover and control a large number of IoT devices using simple attack scripts,which makes it easy to launch cyber-attacks using IoT devices.From the perspective of attack types,the attacks initiated by IoT devices can be mainly divided into spam attacks and DDOS(Distributed Denial of Service)attacks.These attacks have caused a great threat to normal production and life.In previous studies,the basic hypothesis for researchers to identify botnets is: if a bot is identified as belonging to a certain botnet,the bot will always belong to this botnet during the entire observation period.This assumption is basically true for traditional botnets,because the formation of traditional botnets often requires a complicated and targeted attack process to control a certain network device as a bot.But for IoT devices,this assumption is no longer applicable,because the same IoT device can be easily compromised by multiple botnets,and execute commands from different botnets at different time periods,resulting in inconsistencies in traditional botnets.It is common that different botnets alternately control the same bot in IoT world.Aiming at IoT botnets(botnets composed of IoT devices),this article proposes a method that can identify alternate control modes of IoT devices by different botnets,opening up new ideas for future IoT botnet analysis.In this article,we first deployed 462 IoT honeypots which collect 768,742,999 attack events as our dataset.Secondly,we propose a cluster-based data cleaning algorithm,which simplifies high-frequency attack events,thereby greatly reducing the burden of large-scale data processing.Then,we proposed an algorithm based on the multivariable Hawkes process to identify the control period of different botnets on the same IoT device.The algorithm uses a sliding window iteration strategy to match part of the similarity of attack activities,so as to identify the alternate control of different botnets to bot hosts.Finally,we used our algorithm on the collected dataset.The results showed that even the same bot host showed very inconsistent attack patterns at different time periods,and these attack patterns can be compared with certain attack patterns of other attacking hosts.The matching of the attack patterns in this period of time proves that botnets do alternate occupation of bots to perform different attacks.Combined with the general background of the current epidemic,our analysis also reveals some links between IoT attacks and the epidemic. |
PDF Full Text Request