SlideShare ist ein Scribd-Unternehmen logo

IoT Malware Detection through Threshold Random Walks

Biagio Botticelli
Biagio Botticelli

Presentation of my Master Thesis Project in Engineering in Computer Science of University of Rome "La Sapienza". The thesis applies the Threshold Random Walk probabilistic algorithm to make an online detection of IoT Malware Families.

Ingenieurwesen
1 von 25
Downloaden Sie, um offline zu lesen
Candidate: Botticelli Biagio Advisor: Prof. Leonardo Querzoni Co-Advisor: Dott. Giuseppe Laurenza Master of Science in Engineering in Computer Science - A.Y. 2016 - 2017 IoT Malware Detection through Threshold Random Walks
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 2 Internet of Things The Internet of Things describes the vision where objects become part of the Internet: where every object is uniquely identified, and accessible to the network, its position and status known, where services and intelligence are added to this expanded Internet, fusing the digital and physical world into a single one. 6.5 Devices per Person An increased connectivity leads to an exponential increase in the threat surface: more smart technology we add, more likely is to be hacked from the point of view of security.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 3 Mirai Example: IoT as a weapon 20th September 2016 : KrebsOnSecurity.com targeted by an extremely large and unusual Distributed Denial-of-Service (DDoS) attack of over 660 Gbps of traffic. Innovative Aspect: the attack was performed by using direct traffic generated by a botnet of hacked IoT devices infected by a malware called Mirai. ThingsBot (or Botnet of Things): automated botnet of compromised IoT devices (things). Botmaster Botnet: robot network of hacked machines (or bots), which run malicious code under the remote command and control (C&C) of a botmaster for many malicious activities. IoT as weapon: from Internet of Things to Internet of Threats!
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 3 Mirai Example: IoT as a weapon 20th September 2016 : KrebsOnSecurity.com targeted by an extremely large and unusual Distributed Denial-of-Service (DDoS) attack of over 660 Gbps of traffic. Innovative Aspect: the attack was performed by using direct traffic generated by a botnet of hacked IoT devices infected by a malware called Mirai. ThingsBot (or Botnet of Things): automated botnet of compromised IoT devices (things). Botmaster Botnet: robot network of hacked machines (or bots), which run malicious code under the remote command and control (C&C) of a botmaster for many malicious activities. IoT as weapon: from Internet of Things to Internet of Threats!
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 4 IoT Malware AidraMirai Tsunami Linux.Hydra Chuck Norris Psyb0t Hajime Linux/IRCTelnet LightAidra RemaintenBASHLITE Predecessor Successor Influenced LEGEND 2008 200920102010 2013 2014 2016 2016 2016 2016 2014
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 5 Related Works • Honeypharm: “the more honeypots there are in different networks , the higher are the chances to capture new malware samples”. Key Concept: Distributed Architecture of low-interaction honeypots • IoTPOT: “the more embedded services are emulated for different CPU architectures, the more information on existing IoT malware can be obtained”. Key Concept: Emulation of embedded services for different architectures • SIPHON: “rather than emulated embedded services, the use of real-existing high interactive vulnerable IoT devices improves results in attracting cyber-criminals”. Key Concept: Real embedded vulnerable IoT devices offered to attackers • Fast Port-scan Detection using SHT: ”the Threshold Random Walk algorithm could be used to effectively detect the reconnaissance phase of network attacks”. Key Concept: Threshold Random Walk applied for Malware Detection
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 6 Problem Statement & Thesis Contributions Problem Statement: devices of the Internet of Things are under constant attack of cyber-criminals since they are typically low secured (or completely unsecure). However, we cannot adopt traditional lines of defense for malware detection due to computational resource constraints. Thesis Contributions: design and implement an online detection Threshold Random Walk- based algorithm which is fast, light and capable to identify attacks even with the low resources of Internet of Things sensors and objects. To get more knowledge of attack techniques performed by IoT malware, a Distributed Architecture of honeypots had been implemented. This architecture should attract modern attack patterns and capture samples of the newest threats from different locations in the world.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 7 Distributed Honeypot Architecture Automated Procedure: the DIAG VM daily connects to Cowrie instance in New York and to Cowrie-Dumper in Singapore to locally download all the obtained data (logs and malware samples) and to restore the initial honeypot configuration. Cowrie in New York IP: 162.243.211.8 Cowrie-Dumper in Singapore IP: 128.199.204.0 DIAG VM in Rome IP: 192.168.2.197 DIAG Network Results: a total number of 332 970 attacking sessions were collected (~100 Gb of data).
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 8 Distribution of Top 15 Attacking IPs - NY New York Cowrie: 294 943 connections, 53 718 originated by different IPs.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 9 Distribution of Top 15 Attack IPs - Singapore Singapore Cowrie-Dumper: 50 897 connections, 15 250 originated by different IPs. Observation 2: Only 299 IPs attacked both New York and Singapore honeypot instances. Observation 1: Italy is 18th with 133 IPs.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 10 Threshold Random Walk η1 η0 η2 time Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8 Y9 Y10 Λ(Y) WARNING H1 = ATTACK H0 = LEGAL
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness.
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. Dangerous Attack Probability: 99% Knowledge Base
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Dangerous Attack Probability: 99% Knowledge Base
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Medium Attack Probability: 70% Dangerous Attack Probability: 99% Knowledge Base
Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Medium Attack Probability: 70% Low Attack Probability: 60% Dangerous Attack Probability: 99% Knowledge Base
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 12 TRW as Binary Classification Problem TRW detection is a binary classification problem in which the output is chosen among two hypotheses: • TP - Detection: TRW selects H1, detecting the interaction as an attack and H1 is in fact True. • FP - False Positive - Type I Error: TRW selects H1 (attack) when H0 is in fact True; TRW receives a legitimate interaction as input and it detects the connection as malicious. • FN - False Negative - Type II Error: TRW chooses H0 (legal), but H1 was True; TRW receives a malicious interaction as input and it detects the connection as legitimate. • TN - Nominal: TRW picks H0 when H0 is in fact True. Binary Classification Confusion Matrix
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 13 How does the Threshold Random Walk perform? Is it correctly formulated? Experiment 1: k-Fold Cross Validation Dataset 1: all attacking sessions captured by honeypots between 24th April and 31st October 2017. 270 379 malicious interactions in total. k-Fold Cross Validation: the data is divided into k subsets of the same size. Each one of the k subsets is used once as the validation set and the other k−1 subsets are put together to form the training set. In cases of large imbalance in the dataset, stratified approach folds are created containing approximately the same percentage of samples of each target class as the complete set.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 14 Experiment 1: Average Metrics Results Standard Deviation
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 15 TRW has very good performances even on potentially unknown attack sessions formed by new attack strings never seen before. Experiment 2: Metrics Results Dataset 2: all “new” attacking sessions captured in the last months of November and December 2017. 125 182 total interactions: equally divided in 62 591 new malicious and 62 591 legal logs. How does the Threshold Random Walk perform in case of “unknown” attacking sessions? How does the algorithm behave in terms of number of commands necessary to carry out the detection?
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 16 Experiment 2: Detection Performances Threshold Random W a l k d e t e c t s a malicious series of commands in ~ 6,44 events on average with a maximum of 9 commands required.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 17 Experiment 3: Detection vs. Execution Average Length at Detection Dataset 3: all “complete” attacking sessions formed by series of commands that would actually infect a device. 114 226 logs = ~34.305% of 332 970 total interactions Each interaction has the characteristic of having at least one command to sample execution.
IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 18 Conclusions & Future Works Conclusions: experiments proved that Threshold Random Walk outcomes promising results. It’s: • Fast: detection of malicious interactions id performed in early stages of attacking sessions; • Lightweight: no particular computing requirements; • Extensible: upgradeable knowledge base allows to include emerging new attack techniques; • Efficient: TRW makes the correct decision on quite all observed malicious sequences of commands. Future Works: • SSH/Telnet Emulation: create a Telnet/SSH traffic sampling system on a real communication channel. • Automation of KB Creation: design an automated process that integrates into the existing KB new discovered attack strings, without necessarily having to start its creation from scratch. • Architecture Improvement: new honeypot solution could be integrated in the existing architecture. • ELK Framework: ElasticSearch, LogStash and Kibana Data Analytics tool could be integrated into the DIAG VM server to have a visual report of collected data in structured file formats (.json files).
“A secure system is one that does what is supposed to do, and nothing more”. J.B. Ippolito, Native Intelligence, Inc. Any Question?
Biagio Botticelli - botticelli.1212666@studenti.uniroma1.it M.Sc. in Engineering in Computer Science Thank You! “A secure system is one that does what is supposed to do, and nothing more”. J.B. Ippolito, Native Intelligence, Inc. Any Question?

Empfohlen

Application of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityApplication of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
robust malware detection for iot devices using deep eigen space learning
robust malware detection for iot devices using deep eigen space learningrobust malware detection for iot devices using deep eigen space learning
robust malware detection for iot devices using deep eigen space learningVenkat Projects
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityPranto26
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 

Empfohlen

Application of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityApplication of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta
 
Introduction to YARA rules
Introduction to YARA rulesIntroduction to YARA rules
Introduction to YARA rulesn|u - The Open Security Community
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
robust malware detection for iot devices using deep eigen space learning
robust malware detection for iot devices using deep eigen space learningrobust malware detection for iot devices using deep eigen space learning
robust malware detection for iot devices using deep eigen space learningVenkat Projects
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityPranto26
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Hacking
Hacking Hacking
Hacking Farkhanda Kiran
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxAlamgir Hossain
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingVikram Khanna
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning Cysinfo Cyber Security Community
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingGoutham Shetty
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AIDexterJanPineda
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
Cyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging TrendsCyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging Trendsijtsrd
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Nicholas Davis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxAlamgir Hossain
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingVikram Khanna
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
Cyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging TrendsCyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging Trendsijtsrd
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 

Was ist angesagt? (20)

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Hacking
Hacking Hacking
Hacking
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptx
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trends
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
Cyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging TrendsCyber Security Challenges and Emerging Trends
Cyber Security Challenges and Emerging Trends
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking Powerpoint
 

Ähnlich wie IoT Malware Detection through Threshold Random Walks

Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Nicholas Davis
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
Combating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsCombating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsVenkata Sreeram
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnetsAcad
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised MachinesAnton Chuvakin
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Security Session
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...Victor Kebande
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown AlienVault
 

Ähnlich wie IoT Malware Detection through Threshold Random Walks (20)

Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy
 
Botnets
BotnetsBotnets
Botnets
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynets
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
 
Combating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsCombating cyber security through forensic investigation tools
Combating cyber security through forensic investigation tools
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnets
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
BOTNET
BOTNETBOTNET
BOTNET
 
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...
A Cognitive Approach for Botnet Detection in the Cloud Using Artificial Immun...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
 
Cyber Security Terms
Cyber Security TermsCyber Security Terms
Cyber Security Terms
 

Mehr von Biagio Botticelli

Control of Communication and Energy Networks Final Project - Service Function...
Control of Communication and Energy Networks Final Project - Service Function...Control of Communication and Energy Networks Final Project - Service Function...
Control of Communication and Energy Networks Final Project - Service Function...Biagio Botticelli
 
System and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration TestingSystem and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration TestingBiagio Botticelli
 
Web Information Retrieval - Homework 1
Web Information Retrieval - Homework 1Web Information Retrieval - Homework 1
Web Information Retrieval - Homework 1Biagio Botticelli
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
State of the Art: IoT Honeypots
State of the Art: IoT HoneypotsState of the Art: IoT Honeypots
State of the Art: IoT HoneypotsBiagio Botticelli
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsBiagio Botticelli
 
Anonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsAnonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsBiagio Botticelli
 
Blockchain for IoT - Smart Home
Blockchain for IoT - Smart HomeBlockchain for IoT - Smart Home
Blockchain for IoT - Smart HomeBiagio Botticelli
 
Smart Team Tracking Project: Group Tracking
Smart Team Tracking Project: Group Tracking Smart Team Tracking Project: Group Tracking
Smart Team Tracking Project: Group Tracking Biagio Botticelli
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardBiagio Botticelli
 

Mehr von Biagio Botticelli (10)

Control of Communication and Energy Networks Final Project - Service Function...
Control of Communication and Energy Networks Final Project - Service Function...Control of Communication and Energy Networks Final Project - Service Function...
Control of Communication and Energy Networks Final Project - Service Function...
 
System and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration TestingSystem and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration Testing
 
Web Information Retrieval - Homework 1
Web Information Retrieval - Homework 1Web Information Retrieval - Homework 1
Web Information Retrieval - Homework 1
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the Art
 
State of the Art: IoT Honeypots
State of the Art: IoT HoneypotsState of the Art: IoT Honeypots
State of the Art: IoT Honeypots
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
 
Anonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsAnonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing Protocols
 
Blockchain for IoT - Smart Home
Blockchain for IoT - Smart HomeBlockchain for IoT - Smart Home
Blockchain for IoT - Smart Home
 
Smart Team Tracking Project: Group Tracking
Smart Team Tracking Project: Group Tracking Smart Team Tracking Project: Group Tracking
Smart Team Tracking Project: Group Tracking
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi Board
 

Kürzlich hochgeladen

University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 

Kürzlich hochgeladen (20)

NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 

IoT Malware Detection through Threshold Random Walks

  • 1. Candidate: Botticelli Biagio Advisor: Prof. Leonardo Querzoni Co-Advisor: Dott. Giuseppe Laurenza Master of Science in Engineering in Computer Science - A.Y. 2016 - 2017 IoT Malware Detection through Threshold Random Walks
  • 2. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 2 Internet of Things The Internet of Things describes the vision where objects become part of the Internet: where every object is uniquely identified, and accessible to the network, its position and status known, where services and intelligence are added to this expanded Internet, fusing the digital and physical world into a single one. 6.5 Devices per Person An increased connectivity leads to an exponential increase in the threat surface: more smart technology we add, more likely is to be hacked from the point of view of security.
  • 3. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 3 Mirai Example: IoT as a weapon 20th September 2016 : KrebsOnSecurity.com targeted by an extremely large and unusual Distributed Denial-of-Service (DDoS) attack of over 660 Gbps of traffic. Innovative Aspect: the attack was performed by using direct traffic generated by a botnet of hacked IoT devices infected by a malware called Mirai. ThingsBot (or Botnet of Things): automated botnet of compromised IoT devices (things). Botmaster Botnet: robot network of hacked machines (or bots), which run malicious code under the remote command and control (C&C) of a botmaster for many malicious activities. IoT as weapon: from Internet of Things to Internet of Threats!
  • 4. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 3 Mirai Example: IoT as a weapon 20th September 2016 : KrebsOnSecurity.com targeted by an extremely large and unusual Distributed Denial-of-Service (DDoS) attack of over 660 Gbps of traffic. Innovative Aspect: the attack was performed by using direct traffic generated by a botnet of hacked IoT devices infected by a malware called Mirai. ThingsBot (or Botnet of Things): automated botnet of compromised IoT devices (things). Botmaster Botnet: robot network of hacked machines (or bots), which run malicious code under the remote command and control (C&C) of a botmaster for many malicious activities. IoT as weapon: from Internet of Things to Internet of Threats!
  • 5. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 4 IoT Malware AidraMirai Tsunami Linux.Hydra Chuck Norris Psyb0t Hajime Linux/IRCTelnet LightAidra RemaintenBASHLITE Predecessor Successor Influenced LEGEND 2008 200920102010 2013 2014 2016 2016 2016 2016 2014
  • 6. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 5 Related Works • Honeypharm: “the more honeypots there are in different networks , the higher are the chances to capture new malware samples”. Key Concept: Distributed Architecture of low-interaction honeypots • IoTPOT: “the more embedded services are emulated for different CPU architectures, the more information on existing IoT malware can be obtained”. Key Concept: Emulation of embedded services for different architectures • SIPHON: “rather than emulated embedded services, the use of real-existing high interactive vulnerable IoT devices improves results in attracting cyber-criminals”. Key Concept: Real embedded vulnerable IoT devices offered to attackers • Fast Port-scan Detection using SHT: ”the Threshold Random Walk algorithm could be used to effectively detect the reconnaissance phase of network attacks”. Key Concept: Threshold Random Walk applied for Malware Detection
  • 7. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 6 Problem Statement & Thesis Contributions Problem Statement: devices of the Internet of Things are under constant attack of cyber-criminals since they are typically low secured (or completely unsecure). However, we cannot adopt traditional lines of defense for malware detection due to computational resource constraints. Thesis Contributions: design and implement an online detection Threshold Random Walk- based algorithm which is fast, light and capable to identify attacks even with the low resources of Internet of Things sensors and objects. To get more knowledge of attack techniques performed by IoT malware, a Distributed Architecture of honeypots had been implemented. This architecture should attract modern attack patterns and capture samples of the newest threats from different locations in the world.
  • 8. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 7 Distributed Honeypot Architecture Automated Procedure: the DIAG VM daily connects to Cowrie instance in New York and to Cowrie-Dumper in Singapore to locally download all the obtained data (logs and malware samples) and to restore the initial honeypot configuration. Cowrie in New York IP: 162.243.211.8 Cowrie-Dumper in Singapore IP: 128.199.204.0 DIAG VM in Rome IP: 192.168.2.197 DIAG Network Results: a total number of 332 970 attacking sessions were collected (~100 Gb of data).
  • 9. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 8 Distribution of Top 15 Attacking IPs - NY New York Cowrie: 294 943 connections, 53 718 originated by different IPs.
  • 10. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 9 Distribution of Top 15 Attack IPs - Singapore Singapore Cowrie-Dumper: 50 897 connections, 15 250 originated by different IPs. Observation 2: Only 299 IPs attacked both New York and Singapore honeypot instances. Observation 1: Italy is 18th with 133 IPs.
  • 11. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 10 Threshold Random Walk η1 η0 η2 time Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8 Y9 Y10 Λ(Y) WARNING H1 = ATTACK H0 = LEGAL
  • 12. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness.
  • 13. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. Dangerous Attack Probability: 99% Knowledge Base
  • 14. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Dangerous Attack Probability: 99% Knowledge Base
  • 15. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Medium Attack Probability: 70% Dangerous Attack Probability: 99% Knowledge Base
  • 16. Anonymity in the Web based on Routing ProtocolsIoT Malware detection through Threshold Random Walks 11 Attack Patterns & Attack Groups • Initial Shell Pattern • Busybox & Busybox Checks • Connectors • Malware Download • Hexadecimal Code • Malware Creation • System Exploration • Kill Processes • Fingerprinting • Suspect Files Dangerousness: the degree of danger of the command is given by the command type, contextualized within the type of interaction that we are considering. Attack Groups: “fast” data structures in which to store attack strings, classified according to their dangerousness. High Attack Probability: 90% Medium Attack Probability: 70% Low Attack Probability: 60% Dangerous Attack Probability: 99% Knowledge Base
  • 17. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 12 TRW as Binary Classification Problem TRW detection is a binary classification problem in which the output is chosen among two hypotheses: • TP - Detection: TRW selects H1, detecting the interaction as an attack and H1 is in fact True. • FP - False Positive - Type I Error: TRW selects H1 (attack) when H0 is in fact True; TRW receives a legitimate interaction as input and it detects the connection as malicious. • FN - False Negative - Type II Error: TRW chooses H0 (legal), but H1 was True; TRW receives a malicious interaction as input and it detects the connection as legitimate. • TN - Nominal: TRW picks H0 when H0 is in fact True. Binary Classification Confusion Matrix
  • 18. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 13 How does the Threshold Random Walk perform? Is it correctly formulated? Experiment 1: k-Fold Cross Validation Dataset 1: all attacking sessions captured by honeypots between 24th April and 31st October 2017. 270 379 malicious interactions in total. k-Fold Cross Validation: the data is divided into k subsets of the same size. Each one of the k subsets is used once as the validation set and the other k−1 subsets are put together to form the training set. In cases of large imbalance in the dataset, stratified approach folds are created containing approximately the same percentage of samples of each target class as the complete set.
  • 19. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 14 Experiment 1: Average Metrics Results Standard Deviation
  • 20. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 15 TRW has very good performances even on potentially unknown attack sessions formed by new attack strings never seen before. Experiment 2: Metrics Results Dataset 2: all “new” attacking sessions captured in the last months of November and December 2017. 125 182 total interactions: equally divided in 62 591 new malicious and 62 591 legal logs. How does the Threshold Random Walk perform in case of “unknown” attacking sessions? How does the algorithm behave in terms of number of commands necessary to carry out the detection?
  • 21. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 16 Experiment 2: Detection Performances Threshold Random W a l k d e t e c t s a malicious series of commands in ~ 6,44 events on average with a maximum of 9 commands required.
  • 22. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 17 Experiment 3: Detection vs. Execution Average Length at Detection Dataset 3: all “complete” attacking sessions formed by series of commands that would actually infect a device. 114 226 logs = ~34.305% of 332 970 total interactions Each interaction has the characteristic of having at least one command to sample execution.
  • 23. IoT Honeypots: State of the ArtIoT Malware detection through Threshold Random Walks 18 Conclusions & Future Works Conclusions: experiments proved that Threshold Random Walk outcomes promising results. It’s: • Fast: detection of malicious interactions id performed in early stages of attacking sessions; • Lightweight: no particular computing requirements; • Extensible: upgradeable knowledge base allows to include emerging new attack techniques; • Efficient: TRW makes the correct decision on quite all observed malicious sequences of commands. Future Works: • SSH/Telnet Emulation: create a Telnet/SSH traffic sampling system on a real communication channel. • Automation of KB Creation: design an automated process that integrates into the existing KB new discovered attack strings, without necessarily having to start its creation from scratch. • Architecture Improvement: new honeypot solution could be integrated in the existing architecture. • ELK Framework: ElasticSearch, LogStash and Kibana Data Analytics tool could be integrated into the DIAG VM server to have a visual report of collected data in structured file formats (.json files).
  • 24. “A secure system is one that does what is supposed to do, and nothing more”. J.B. Ippolito, Native Intelligence, Inc. Any Question?
  • 25. Biagio Botticelli - botticelli.1212666@studenti.uniroma1.it M.Sc. in Engineering in Computer Science Thank You! “A secure system is one that does what is supposed to do, and nothing more”. J.B. Ippolito, Native Intelligence, Inc. Any Question?