Collaborative Life-Cycle-Based Botnet Detection in IoT Using Event Entropy

Collaborative Life-Cycle-Based Botnet Detection in IoT Using Event Entropy

Abdenacer Nafir (Computer Science Department, LICUS Lab, Skikda University, Algeria), Smaine Mazouzi (Computer Science Department, LICUS Lab, Skikda University, Algeria) and Salim Chikhi (IFA Computer Science Department, MISC Lab, Constantine 2 University, Algeria)
Copyright: © 2020 |Pages: 16
DOI: 10.4018/IJOCI.2020100102
OnDemand PDF Download:
No Current Special Offers


This paper introduces a collaborative and distributed method for botnet detection in massive networks such as internet of things (IoT) and wide area networks (WAN). The method is model-based and designed as a multi-agent system where the agents are situated on IoT devices. Every agent analyzes the events' entropies, then exchanges its decision with its neighbors aiming at establishing global decision if a botnet is ongoing to be installed within the network or not. Decisions spread over the network where a consensual dominant decision can emerge. In previous similar works, it was necessary to use some central hosts in order to compute global decisions. So, scalability is compromised, and the solution is not suited for massive networks such as IoT. The proposed approach does not require any central control, which allows it to be used in IoT and ad hoc networks. Furthermore, the botnet is detected at the early stage of its life-cycle. Conducted experiments have shown that the proposed approach is well suited for botnet detection in IoT and WAN.
Article Preview


Since the generalization of internet communications, connected devices are daily exposed to hundreds of several kinds of cyber attacks (Elrawy et al. 2018, Thonnard et al. 2012). With the emergence of Internet of Things (IoT) the number of cyber attacks was many times multiplied, reaching a top of growth of 600% in 2017 (Gary 2019, Elrawy et al. 2018). One of the most important reasons for this intensive harmful activity is the emergence of a new profile of hackers. Indeed, in the last years, attacks are performed for lucrative reasons (Zargar et al. 2013, Thonnard et al. 2012), which results in a large community of hackers that build and use botnets, and eventually rent or sell them on internet.

According the 2019 report of Edge Scan (Keary 2019), security holes are discovered by dozens every day making computers and devices in the core of internet or in the IoT vulnerable, allowing hackers to overcome defense mechanisms and conduct attacks against such systems. Researchers and professionals in security field are continuously called to propose new solutions for the new schemes of attacks, which are now mostly distributed. Typically, Distributed Denial of Service (DDoS), and spamming attacks are performed with a large set of compromised computers, forming a botnet, against a given victim that is connected to internet. For most of the novel network-based intrusions, it is hard to decide, on a lonely host, if a given event, such as a port scanning, is a part of a wide process that consists of attempting to build a network of zombies for future attacks such DDoS, spamming, and password cracking (Khan et al. 2019, Khoshhalpour and Shahriari 2019, Mohaisen et al. 2019).

To deal with such a problem, several computers and devices situated on interconnected devices within an ad hoc network can collaborate. These hosts have to exchange security information, in particular that concerns building botnets, based on knowledge about the lifecycle of the latter. Such a way allows establishing if a botnet is currently in installation on the network or not.

Because of their distributed nature, botnets are hard to detect and several works remain attempting to propose new approaches to deal with this issue. Recently, some authors have opted for hybrid methods, where several mechanisms are used and data are gathered from different sites, aiming to enhance the detection accuracy and minimize false positives (Almutairi et al. 2020, Wang et al. 2020). Earlier, authors proposed botnet detection depending on the location where data and events are gathered and how they are analyzed. Such aspect of the proposed systems splits methods into host-based (Yu et al. 2012, Masu et al. 2008), network-based (Liu et al. 2008, Gu et al. 2008, Karasaridis et al. 2007, Gu et al. 2007), and machine learning-based (Khan et al. 2019, Zhang et al. 2011, Saad et al. 2011), in addition to hybrid methods, where two or more techniques are combined. Also, bornet detection methods could be model-based when they proceed by detecting abnormal behaviors or events. In opposition, other methods proceed by data traffic analysis, mainly using machine-learning techniques, to detect suspicious data patters.

Complete Article List

Search this Journal:
Open Access Articles
Volume 12: 4 Issues (2022): 2 Released, 2 Forthcoming
Volume 11: 4 Issues (2021)
Volume 10: 4 Issues (2020)
Volume 9: 4 Issues (2019)
Volume 8: 4 Issues (2018)
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing