An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)

The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analysing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose the IoT-BDA framework for automated capturing, analysis, identification, and reporting of IoT botnets. The captured samples are analysed in real-time to identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can help botnet detection and analysis, as well as infection remedy. The framework reports the findings to a blacklist and abuse service to facilitate botnet suspension. We also describe the discovered anti-honeypot techniques and the measures applied to reduce the risk of honeypot detection. Over the period of seven months, the framework captured, analysed, and reported 4077 unique IoT botnet samples. The analysis results show that IoT botnets may employ persistence, anti-analysis and anti-forensics techniques typical for traditional botnets. The in-depth analysis also discovered IoT botnets using techniques for evading network detection.