IoT Botnet Detection Based on the Behaviors of DNS Queries
Abstract: In recent years, the Botnet attacks towards the Internet of Things have been considered to be the attacks with the most extensive impact on internet infrastructure. Many well-known enterprises or organizations have become victims. The Internet of Things Botnet uses a large number of connected devices to attack a target. For example, infected devices can be used to perform DDoS attacks on certain (critical) network servers. Before the infected hosts receive any commands, they must obtain the IP address of the control and command server. Hence, there are lots of behaviors and information of IoT Botnet hiding in the DNS traffic. Considering that situation, we utilize features captured from the DNS queries to analyze whether IoT Botnet has infected a device or not. We found that the DNS queries of an infected device will be issued in a specific periodical time frequency. Based on the features, a novel IoT Bonet detection scheme is presented in the manuscript. As compared to other works, the proposed scheme significantly reduces the computation cost by applying Shannon's entropy and the variances among the DNS queries.
Loading