N-BaIoT

The proliferation of IoT devices which can be more easily compromised than desktop computers has led to an increase in the occurrence of IoT-based botnet attacks. In order to mitigate this new threat there is a need to develop new methods for detecting attacks launched from compromised IoT devices and differentiate between hour and millisecond long IoT-based attacks. In this paper we propose and empirically evaluate a novel network-based anomaly detection method which extracts behavior snapshots of the network and uses deep autoencoders to detect anomalous network traffic emanating from compromised IoT devices. To evaluate our method, we infected nine commercial IoT devices in our lab with two of the most widely known IoT-based botnets, Mirai and BASHLITE. Our evaluation results demonstrated our proposed method’s ability to accurately and instantly detect the attacks as they were being launched from the compromised IoT devices which were part of a botnet. 

相较于台式计算机，物联网（IoT）设备更易被攻陷，此类设备的普及与数量激增导致基于物联网的僵尸网络攻击事件愈发频发。为应对这一新型威胁，亟需研发新型检测方法，以识别源自已攻陷物联网设备的攻击，并区分持续时长为小时级与毫秒级的物联网攻击。本文提出并实证评估了一种新颖的基于网络的异常检测方法，该方法通过提取网络行为快照，并利用深度自编码器检测源自已攻陷物联网设备的异常网络流量。为验证所提方法的有效性，我们在实验室环境中利用两款最广为人知的物联网僵尸网络——Mirai与BASHLITE，对九台商用物联网设备实施了攻击感染实验。评估结果表明，当攻击由作为僵尸网络节点的已攻陷物联网设备发起时，所提方法能够精准且即时地检测出此类攻击。