Early Detection of Mirai-Like IoT Bots in Large-Scale Networks through Sub-sampled Packet Traffic Analysis

  • Ayush KumarEmail author
  • Teng Joon Lim
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)


The widespread adoption of Internet of Things has led to many security issues. Recently, there have been malware attacks on IoT devices, the most prominent one being that of Mirai. IoT devices such as IP cameras, DVRs and routers were compromised by the Mirai malware and later large-scale DDoS attacks were propagated using those infected devices (bots) in October 2016. In this research, we develop a network-based algorithm which can be used to detect IoT bots infected by Mirai or similar malware in large-scale networks (e.g. ISP network). The algorithm particularly targets bots scanning the network for vulnerable devices since the typical scanning phase for botnets lasts for months and the bots can be detected much before they are involved in an actual attack. We analyze the unique signatures of the Mirai malware to identify its presence in an IoT device. Further, to optimize the usage of computational resources, we use a two-dimensional (2D) packet sampling approach, wherein we sample the packets transmitted by IoT devices both across time and across the devices. Leveraging the Mirai signatures identified and the 2D packet sampling approach, a bot detection algorithm is proposed. We use testbed measurements and simulations to study the relationship between bot detection delays and the sampling frequencies for device packets. Subsequently, we derive insights from the obtained results and use them to design our proposed bot detection algorithm. Finally, we discuss the deployment of our bot detection algorithm and the countermeasures which can be taken post detection.


Internet of Things IoT Malware Mirai Botnet Bot Detection 



The authors would like to thank Dr. Liang Zhenkai (SoC, NUS) for helping us with some of the initial ideas used in this paper and Dr. Min Suk Kang (SoC, NUS) for providing comments on our manuscript. We would also like to appreciate the National Cybersecurity R&D Lab, Singapore for allowing us to use their testbed to collect important data which has been used in our work. This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore under its Corporate Laboratory@University Scheme, National University of Singapore, and Singapore Telecommunications Ltd.


  1. 1.
    Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., Ayyash, M.: Internet of things: a survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutorials 17(4), 2347–2376 (2015)CrossRefGoogle Scholar
  2. 2.
    Nordrum, A.: Popular internet of things forecast of 50 billion devices by 2020 is outdated.
  3. 3.
    Frustaci, M., Pace, P., Aloi, G., Fortino, G.: Evaluating critical security issues of the IoT world: present and future challenges. IEEE Internet of Things J. PP(99), 1–1 (2017)Google Scholar
  4. 4.
    Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W.: A survey on internet of things: architecture, enabling technologies, security and privacy, and applications. IEEE Internet Things J. 4(5), 1125–1142 (2017)CrossRefGoogle Scholar
  5. 5.
    Yang, Y., Wu, L., Yin, G., Li, L., Zhao, H.: A survey on security and privacy issues in internet-of-things. IEEE Internet of Things J. 4(5), 1250–1258 (2017)CrossRefGoogle Scholar
  6. 6.
    Krebs, B.: Hacked cameras, DVRs powered today’s massive internet outage. (2016)
  7. 7.
    Cimpanu, C.: There’s a 120,000-strong IoT DDoS Botnet lurking around.
  8. 8.
    Constantin, L.: Your Linux-based home router could succumb to a new Telnet worm, Remaiten.
  9. 9.
    Grange, W.: Hajime worm battles Mirai for control of the Internet of Things.
  10. 10.
    Arghire, I.: IoT Botnet used in website hacking attacks.
  11. 11.
  12. 12.
  13. 13.
    Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: rethinking network security for the internet-of-things. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, HotNets-XIV, pp. 5:1–5:7, New York, NY, USA. ACM (2015)Google Scholar
  14. 14.
    Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, pp. 1093–1110. USENIX Association (2017)Google Scholar
  15. 15.
    Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify Botnet traffic. In: Proceedings. 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974, Nov 2006Google Scholar
  16. 16.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symposium (USENIX Security 07), Boston, MA. USENIX Association (2007)Google Scholar
  17. 17.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting Botnet command and control channels in network traffic. In: Network and Distributed System Security Symposium (NDSS) (2008)Google Scholar
  18. 18.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent Botnet detection. In: Proceedings of the 17th Conference on Security Symposium, SS’08, Berkeley, CA, USA, pp. 139–154. USENIX Association (2008)Google Scholar
  19. 19.
    Zhang, J., Perdisci, R., Lee, W., Luo, X., Sarfraz, U.: Building a scalable system for stealthy P2P-Botnet detection. IEEE Trans. Inf. Forensics Secur. 9(1), 27–38 (2014)CrossRefGoogle Scholar
  20. 20.
    Habibi, J., Midi, D., Mudgerikar, A., Bertino, E.: Heimdall: mitigating the internet of insecure things. IEEE Internet Things J. 4(4), 968–978 (2017)CrossRefGoogle Scholar
  21. 21.
    Pajouh, H.H., Javidan, R., Khayami, R., Ali, D., Choo, K.K.R.: A two-layer dimension reduction and two-tier classification model for anomaly-based intrusion detection in IoT backbone networks. IEEE Trans. Emerg. Topics Comput. PP(99), 1–1 (2016)Google Scholar
  22. 22.
    Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., Elovici, Y.: N-baiot: network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409 (2018)Google Scholar
  23. 23.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316 (2010)Google Scholar
  24. 24.
    Gates, C., Taylor, C.: Challenging the anomaly detection paradigm: a provocative discussion. In: Proceedings of the 2006 Workshop on New Security Paradigms, NSPW ’06, New York, NY, USA, pp. 21–29. ACM (2007)Google Scholar
  25. 25.
    Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other Botnets. Computer 50(7), 80–84 (2017)CrossRefGoogle Scholar
  26. 26.
    MySQL: The world’s most popular open source database.
  27. 27.
    Ron Winward: Mirai: Inside of an IoT Botnet. (2017)
  28. 28.
    Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, Berkeley, CA, USA, pp. 41–41. USENIX Association. (2005)
  29. 29.
  30. 30.
  31. 31.
    Postel, J., Reynolds, J.: Telnet protocol specification. (1983)
  32. 32.
    Google Cloud: Overview of Internet of Things.
  33. 33.
    Wireshark: Network protocol analyzer.
  34. 34.
    Statista: Installed base of IoT consumer devices by category in the United States in 2017 (in million units). (2018)
  35. 35.
    Wikipedia: Broadband Providers in the United States.
  36. 36.
    Ieee standard for low-rate wireless networks. IEEE Std 802.15.4-2015 (Revision of IEEE Std 802.15.4-2011), pp. 1–709, Apr 2016Google Scholar
  37. 37.
    Foong, A.P., Huff, T.R., Hum, H.H., Patwardhan, J.R., Regnier, G.J.: TCP performance re-visited. In: 2003 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS 2003, pp. 70–79 (2003)Google Scholar
  38. 38.
    Karp, R.M.: Reducibility among Combinatorial Problems, pp. 85–103. Springer US, Boston, MA (1972)CrossRefGoogle Scholar
  39. 39.
    Meidan, Y., Bohadana, M., Shabtai, A., Guarnizo, J.D., Ochoa, M., Tippenhauer, N.O., Elovici, Y.: Profiliot: a machine learning approach for IoT device identification based on network traffic analysis. In: Proceedings of the Symposium on Applied Computing, SAC ’17, pp. 506–509, New York, NY, USA. ACM (2017)Google Scholar
  40. 40.
    Livingood, J., Mody, N., O’Reirdan, M.: Recommendations for the remediation of bots in ISP networks.
  41. 41.
    Kumar, A.: Software Repository for Mirai-Like IoT Malware Detection Algorithm.
  42. 42.
    Zheng, C., Xiao, C., Jia, Y.: New IoT/Linux malware targets DVRs, Forms Botnet.
  43. 43.
    Hayashi, K.: Linux worm targeting hidden devices.
  44. 44.

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.National University of SingaporeSingaporeSingapore

Personalised recommendations