Research On Botnet Detection Method For IoT Environment

With the rise and development of Internet of things(IoT)technology,more and more traditional devices have gradually achieved network access,which has brought changes and convenience to people's lifestyle.However,due to the popularity of IoT technology,botnet gradually begin to invade IoT devices and spread in cyberspace.The IoT botnet refers to the collection of IoT devices hijacked by attacker.Under the control of the attcker,the collection consistently shows malicious behaviors such as infection,transmission and attack.Due to the large number of IoT devices and most of them do not adopt strong security protection,the crisis caused by IoT botnet becomes more and more severe.At present,there are many solutions for the detection technology of traditional botnets,but compared with traditional devices,IoT devices show a lack of computing and storage resources and strong heterogeneity of devices,so that the traditional methods are not fully applicable.On the other hand,the activity form of botnet mainly shows collectivity,so that the network communication intention between infected devices inevitably have collectivity similarity.Therefore,based on the traffic communication behavior of infected devices in IoT environment,this paper proposes a detection method for host infected botnet in controlled network.This method takes the communication network flow of IoT devices as the analysis object,builds a flow similarity graph after aggregating the similar network flows of controlled hosts,and uses GCN(Graph Convolutional Networks)to classify the host nodes in the flow similarity graph,and finally realizes the detection purpose.This paper adopts the open source dataset to evaluate the proposed detection method,and achieves a detection rate of 94.1%.Meanwhile,the robustness of the method under two different attack scenarios is analyzed.In order to solve the shortage resources and strong heterogeneity of IoT devices,this work proposes an IoT botnet detection prototype system,in which the terminal system extracts the network flow feature of IoT devices,and the cloud system completes the construction of network flow similarity graph and botnet classification.The MQTT protocol in IoT scenario is used to achieve system decoupling to adopt heterogeneity.