Back to Search Start Over

ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

Authors :
Gilad Rosenthal
Ofir Erets Kdosha
Kobi Cohen
Alon Freund
Avishay Bartik
Aviv Ron
Source :
IEEE Access, Vol 8, Pp 145751-145767 (2020)
Publication Year :
2020
Publisher :
IEEE, 2020.

Abstract

Today, cyber attacks are constantly evolving and changing, which makes them harder to detect. In particular, detecting attacks in large-scale networks is very challenging because they require high detection rates under real-time resource constraints. In this paper, we focus on detecting infected Internet of Things (IoT) hosts from domain name system (DNS) traffic data. IoT hosts, such as streaming cameras, printers, air conditioners, are hard to protect, unlike PCs and servers. Enterprises are often unaware of the devices which are connected to the network, their types, makes, and vulnerabilities. Since IoT hosts make use of the DNS protocol, analyzing DNS data can give a broad view of malicious activities, because they abuse the DNS protocol and leave fingerprints as part of their attack vector. In this collaborative research between Ben-Gurion University, and IBM, we establish a novel algorithm to detect infected IoT hosts in large-scale DNS traffic, named Anomaly and Reputation Based Algorithm (ARBA). Its novelty resides in developing a framework that combines host classification and domain reputation in a real-time production environment. ARBA is highly computational efficient and meets real-time requirements in terms of run time and computational complexity. By contrast to existing algorithms, it does not require a massive traffic volume for training, which is of significant interest in detecting infected hosts in real-time. The research was conducted on real live streaming data from IBM internal network traffic, and confirm the algorithm's strong performance in a real-time production environment.

Details

Language :
English
ISSN :
21693536
Volume :
8
Database :
Directory of Open Access Journals
Journal :
IEEE Access
Publication Type :
Academic Journal
Accession number :
edsdoj.2c9564d22fd94b3a8be76b93651e39cf
Document Type :
article
Full Text :
https://doi.org/10.1109/ACCESS.2020.3014619