The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analysing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose the IoT-BDA framework for automated capturing, analysis, identification, and reporting of IoT botnets. The captured samples are analysed in real-time to identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can help botnet detection and analysis, as well as infection remedy. The framework reports the findings to a blacklist and abuse service to facilitate botnet suspension. We also describe the discovered anti-honeypot techniques and the measures applied to reduce the risk of honeypot detection. Over the period of seven months, the framework captured, analysed, and reported 4077 unique IoT botnet samples. The analysis results show that IoT botnets may employ persistence, anti-analysis and anti-forensics techniques typical for traditional botnets. The in-depth analysis also discovered IoT botnets using techniques for evading network detection.
翻译:与互联网连接的不安全装置的扩散导致IOT软糖网的扩展,这种软糖网可以迅速增长,并可能进行影响很大的网络攻击。处理IOT软糖网的相关研究涉及分别利用蜂窝和沙箱采集或分析IOT软糖样品。两者之间缺乏整合意味着,蜂窝所采集的样品必须人工提交分析,从而推迟了肉网的操作。此外,由于可能使用反分析技术,而且无法查明有效检测和识别IOT软糖网的特征,因此,拟议的普通深沙箱的效力受到限制。在本文件中,我们建议采用IOT-BDA框架,用于自动采集、分析、识别和报告IOT软糖网的样本。采集的样品必须实时分析,以确定妥协和攻击指标,同时进行反分析、耐久性、耐久性、抗腐蚀性技术。这些特征有助于软糖网的检测和分析,以及感染的补救。框架还报告了黑网检测和滥用的检测结果。我们还报告了对结果的分析,通过黑网检测和检测结果的分析,并报告了在I-VAT的测试中发现和滥用。