ArticlePDF Available

DDoS in the IoT: Mirai and other botnets

Authors:

Abstract and Figures

The Mirai botnet and its variants and imitators are a wake-up call to the industry to better secure Internet of Things devices or risk exposing the Internet infrastructure to increasingly disruptive distributed denial-of-service attacks.
Content may be subject to copyright.
40 COMPUTER PUBLISHED BY THE IEEE COMPUTER SOCIETY 0018-9162/17/$33.00 © 2017 IEEE
CYBERTRUST
The ubiquity and increasing popularity of the In-
ternet of Things (IoT) have made IoT devices a
powerf ul amplifying platform for cyberattacks.
Given the recent headline-making severity and
frequent recurrence of security incidents involving such
devices, they’ve clearly become the new weakest link in
the securit y chain of modern computer net works. IoT
devices might be the feeble brother of desktop systems,
yet what they lack i n computational capabilities they
make up for in numbers. Moreover,
because they’re constantly con-
nected to the Internet and seem-
ingly permeated with aws—in
many cases the outcome of na-
ive security congurations—they
constitute low-hanging fruit for
hackers. The large volume, perva-
siveness, and high vulnerability
of IoT devices have attracted many
bad actors, particularly those orchestrating dist ributed
denial-of-service (DDoS) attacks.
“THE FUTURE” IS HERE
A recent prominent example is the Mirai botnet. First identi-
ed in August 2016 by the whitehat security research group
MalwareMustDie,1 Mirai—Japanese for “the future”—and
its many variants and imitators have served as the vehicle
for some of the most potent DDoS attacks in history.
DDoS in the IoT:
Mirai and Other
Botnets
Constantinos Kolias, George Mason University
Georgios Kambourakis, University of the Aegean
Angelos Stavrou, George Mason University
Jerey Voas, IEEE Fellow
The Mirai botnet and its variants and imitators
are a wake-up call to the industry to better
secure Internet of Things (IoT) devices or
risk exposing the Internet infrastructure
to increasingly disruptive distributed
denial-of-service (DDoS) attacks.
JULY 2017 41
EDITOR JEFFREY VOAS
NIST; j.voas@ ieee.org
In September 2016, the website of
computer security consultant Brian
Krebs was hit with 620 gbps of trac,
“many orders of magnitude more traf-
c than is typically needed to knock
most sites oine.2 At about the same
time, an even bigger DDoS attack using
Mirai malware—peaking at 1.1 Tbps—
targeted the French webhost and cloud
service provider OVH.3
In the wake of the public release of
Mirai’s source code by its creator soon
afterward,4 hackers oered Mirai bot-
nets for rent with as many as 400,000
simultaneously connected devices.5
More Mirai attacks followed, notably
one in October 2016 against ser vice pro-
vider Dyn that took down hundreds of
websites—including Twitter, Netix,
Reddit, and GitHub—for several hours.6
Mirai primarily spreads by rst
infecting devices such as webcams,
DVR s, and routers t hat r un some ver-
sion of BusyBox (busybox.net). It then
deduces the administrative credentials
of other IoT devices by means of brute
force, relying on a small dictionary of
potential username–password pairs.
Tod ay, M ir ai m ut at ion s ar e gen er-
ated daily, and the fact that they can
continue to proliferate and inict
real damage using the same intrusion
methods as the original malware is in-
dicative of IoT device vendors’ chronic
neglect in applying even basic secu-
rity practices.
Surprisingly, IoT botnets have re-
ceived on ly sporadic attention from
researchers.7,8 If the security com-
munity doesn’t respond more quickly
and devise novel defenses, however,
ever-more sophisticated attacks will
become the norm and might disrupt
the Internet infrastructure itself.
MIRAI THROUGH
THELOOKING GLASS
Mirai causes a DDoS against a set of
target servers by constantly propagat-
ing to weakly congured IoT devices.
Main components
A Mirai botnet is comprised of four
major components. The bot is the mal-
ware that infects devices. Its twofold
aim is to propagate the infection to
miscongured devices and to attack a
target server as soon as it receives the
correspond ing command from the
person controlling the bot, or botmas-
ter. The command and control (C&C)
server provides the botmaster with a
centralized management inter face
to check the botnet’s condition and
orchestrate new DDoS attacks. Typi-
cally, communication with other parts
of the infrastruct ure is conduc ted
via the anonymous Tor network. The
loader facilitates the dissemination of
executables targeting dierent plat-
forms (18 in total, including ARM,
MIPS, and x86) by directly commu-
nicating with new victims. The repor t
server maintains a database with de-
tails about all devices in the botnet.
Newly infected ones typically directly
communicate with it.
Botnet operation
andcommunication
Initially, Mirai scans random public
IP addresses through TCP ports 23
or 2323. Some addresses including
those of the US Postal Ser vice, the
Department of Defense, the Internet
Assigned Numbers Authority, Gen-
eral Electric, and Hewlett-Packard are
excluded, probably to avoid attract-
ing government attention.9 Figure 1
shows the key steps in botnet opera-
tion and communication.
Step 1. The bot engages in a brute-force
attack to discover the default creden-
tials of weakly congured IoT devices.
There are 62 possible username–
password pairs hardcoded in Mirai.
Step 2. Upon discovering the cor-
rect credentials and gaining a shell (a
command- line or graphical user inter-
face), the bot forwards various device
characteristics to the report server
through a dierent port.
C&C server Loader
3. Check status
4. Infect command
1. Brute force
2. Report
5. Malicious
binary
6. Attack command
Report server Bot New bot victim Target server
7. Attack
Figure 1. Mirai botnet operation and communication. Mirai causes a distributed denial
of service (DDoS) to a set of target servers by constantly propagating to weakly config-
ured Internet of Things (IoT) devices.
42 COMPUTER WWW.COMPUTER.ORG/COMPUTER
CYBERTRUST
Step 3. Via the C&C server, the bot-
master frequently checks new pro-
spective target victims as well as the
botnet’s current status by communi-
cating with the report server, typically
through Tor.
Step 4. After deciding which vulnera-
ble devices to infect, the botmaster is-
sues an infect command in the loader
containing all necessary details—for
example, IP address and hardware
architecture.
Step 5. The loader logs into the target
device and instructs it to download
and execute the corresponding bi-
nar y version of t he malware, ty pically
via GNU Wget (www.gnu .org/sof twar e
/wget/manual /wget.html) or the Trivial
File Transport Protocol. Interestingly,
as soon as the malware is executed it
will attempt to protect itself from other
malware by shutting down points of
intrusion such as Telnet and Secure
Shell (SSH) services. At this point,
the newly recruited bot instance can
communicate with the C&C server to
receive attack commands. It does so by
resolving a domain name hardcoded in
the executable (by default, the value of
this entry is cnc.changeme.com in Mi-
rai’s source code) rather than a static IP
address. Thus, the botmaster has the
luxury of changing his IP address over
time without modifying the binary
and without extra communication.
Step 6. The botmaster instructs all
bot instances to commence an attack
against a target server by issuing a
simple command through the C&C
server with the corresponding param-
eters such as the type and duration of
attack and the IP addresses of the bot
instances and target server.
Step 7. The bot instances will start at-
tacking the target server with one of
10 available attack variations such as
Generic Routing Encapsulation (GRE),
TCP, and HTTP ooding attacks.
Mirai signatures
Compared to other similar malware,10
Mirai doesn’t try to avoid detection.
Almost all stages of infection leave
a footprint that can be recognized
through basic network analysis. Mirai
signatures include
sequentially testing specic
credentials in specic ports,
sending reports that generate
distinctive patterns,
downloading a specic type of
binary code,
exchanging keep-alive
messages,
receiving attack commands that
have a specic structure, and
generating attack trac with
very few random elements.
Figure 2 shows some standard com-
munication patterns between an IoT
device that’s already infected but not
actively launching any kind of at tack
and Mirai’s loader component. Al-
though the communication session
times vary, the ty pe of messages, their
packet sizes, and the sequence of mes-
sages form a characteristic pattern in-
dicative of the malware’s infection.
MIRAI VARIANTS
One would have expected the public
release of Mirai’s source code, coupled
with its relatively noisy network pres-
ence, to quickly lead to eective detec-
tion and defense mechanisms. How-
ever, the opposite occurred: within only
two months of the source code’s release,
the number of bot instances more than
doubled, from 213,000 to 493,000, and a
wide range of Mirai variants emerged.11
Even today—nearly a year after Mirai’s
appearance—bots continue to exploit
the same weak security congurations
in the same types of IoT devices.
Although most Mirai infections
occur through TCP ports 23 and 2323,
Mirai strains identied in November
2016 rely on other TCP ports to com-
mandeer devices—for example, port
7547, which ISPs use to remotely man-
age customers’ broadband routers.
That same month, one such Mirai vari-
ant knocked nearly a million Deutsche
Telekom subscribers oine.12
1,200
1,000
800
600
400
200
0
Packet size (bytes)
Communication sessions between bot and infrastructure
0.5 1.0 1.5 2.0 2.5 3.0
Time (s)
SYN
FIN
PSH + ACK (from infrastructure)
PSH + ACK (from bot)
Figure 2. Distinctive communication patterns bet ween an infected IoT device and Mi-
rai’s loader component. SYN (synchronize), FIN (finish), PSH (push), and ACK (acknowl-
edge) are standard TCP packet types.
JULY 2017 43
In February 2017, a Mirai variant
launched a 54-hour-long DDoS attack
against a US college.13 The follow-
ing month, yet another novel variant
appeared with bitcoin miner func-
tionality, a lthough it’s doubtf ul that
compromising IoT devices would yield
signicant revenue.14
Active since April 2017, Persirai15
is another IoT botnet that shares Mi-
rai’s code base. Discovered by Trend
Micro researchers and named for its
likely Iranian origin (the name is a
portmanteau of Persian and Mirai), it
attempts to access the interface of spe-
cic vendors’ webcams through TCP
port 81. If successful, it then worms
its way into the client’s router through
a universal plug and play (UPnP) vul-
nerability, downloads the malicious
binaries, and, after execution, deletes
them. Rather than deducing webcam
credentials via a brute-force attack,
the ma lware proliferates by exploiting
a documented zero-day aw that lets
attackers directly obtain the password
le. The DDoS attack armory includes
User Datagram Protocol ooding at-
tacks. An estimated 120,000 devices in
the wild are vulnerable to Persirai.
OTHER IOT BOTNETS
Following Mirai’s example, other IoT
botnets have recently emerged. While
relying on the same basic principles,
the authors of this malware are explor-
ing increasingly sophisticated mech-
anisms to make their botnets more
powerf ul than the competition as well
as to obfuscate their activity.
The rst IoT botnet written in the
Lua programming language was re-
ported by MalwareMustDie in late Au-
gust 2016.16 Most of its army is com-
posed of cable modems with ARM CPUs
and using Linux. This malware incor-
porates sophisticated features such
as an encrypted C&C communication
channel and customized iptables rules
to protect infected devices.
The Hajime botnet, discovered in
October 2016 by Rapidity Networks,17
uses a method of infection similar to
that of Mirai. However, rather than
having a centralized architecture, Hi-
jame relies on fully distributed com-
munications and makes use of the
BitTorrent DHT (distributed hash tag)
protocol for peer discovery and the
uTorrent Transport Protocol for data
exchange. Every message is RC4 en-
crypted and signed using public and
private keys. So far, Hajime hasn’t ev-
idenced malicious behavior; in fact,
it actually closes potential sources
of vulnerabilities in IoT devices that
Mirai- like botnets exploit, causing
some researchers to speculate that it
was created by a whitehat.18 But its
true purpose remains a mystery.
A BusyBox-based IoT botnet like
Mirai, BrickerBot was unearthed by
Radware researchers in April 2017.19
By leveraging SSH service default cre-
dentials, miscongurations, or known
vulnerabilities, this malware attempts
a permanent denial-of-service (PDoS)
attack against IoT devices using var-
ious methods that include defacing
a device’s rmware, erasing all les
from its memory, and reconguring
network parameters.
LESSONS LEARNED
The dramatic impact of DDoS attacks
by Mirai, its variants, and other similar
botnets highlight the risks IoT devices
pose to the Internet. Currently, even
naive approaches can gain control of
such devices and create a massive and
highly disruptive army of zombie de-
vices. The ease of infection and stabil-
ity of the generated bot population are
alluring factors for any attacker.
There are ve main reasons IoT de-
vices are particularly advantageous
for creating botnets:
Constant and unobtrusive opera-
tion. Unlike laptop and desktop
computers, which have frequent
on–o cycles, many IoT devices
such as webcams and wireless
routers operate 24/7 and in
many cases aren’t properly rec-
ognized as computing devices.
Feeble protection. In their rush to
penetrate the IoT market, many
device vendors neglect security
in favor of user-friendliness
andusability.
Poor maintenance. Most IoT devices
fall under the setup-and-forget
umbrella
after initially set-
ting them up, users and net-
work administrators forget
about them unless they stop
workingproperly.
Considerable attack trac. Con-
trary to common belief, IoT de-
vices are powerful enough and
well situated to produce DDoS
attack trac comparable to that
of modern desktop systems.
Noninteractive or minimally in-
teractive user interfaces. Because
IoT devices tend to require
minimum user intervention,
infections are more likely to go
unnoticed. Even when they’re
noticed, there’s no easy way for
the user to address them short of
replacing the device.
Two years ago we correctly pre-
dicted the emergence of IoT-
powered DDoS attacks,20 and
today increasingly sophisticated Mirai
variants and imitators are appearing at
an alarming rate. This malware typi-
cally runs on multiple platforms and is
usually lightweight enough to execute
in a tiny amount of RAM. In addition,
the infection process is relatively sim-
ple, making every vulnerable device a
bot candidate even with frequent re-
booting. Although most existing IoT
malware is easy to prole and detect,
newer bots are stealthier.
Much of the responsibility for DDoS
attacks often lies with users who prac-
tice poor security behaviors and sys-
tem administrators who fail to deploy
adequate safeguards. In the case of IoT
botnets, however, it’s device vendors
who should assume the responsibil-
ity for naively distributing products
with weak security, including default
credentials and remote access capabil-
ities. IoT vendors are also in a unique
position to provide the automated
44 COMPUTER WWW.COMPUTER.ORG/COMPUTER
CYBERTRUST
security updates that would address
the problem. Solutions that require
manual inter vention—for example,
frequently changing passwords—are
unrealistic in the IoT realm, where
many devices must be self-regulating.
What we need now is the technical
means to enforce security best prac-
tices in computer networks as well as
robust security standards for IoT de-
vices and distributors.
REFERENCES
1. “MMD-0055-2016-Linux/PnScan;
ELF Worm That Still Circles Around,”
blog, MalwareMustDie, 24 Aug. 2016;
blog.malwaremustdie.org/2016/08
/mmd-0054-2016-pnscan-elf-worm
-that.html.
2. KrebsOnSecur ity Hit with Record
DDoS,” blog, KrebsOnSecurit y, 16
Sept. 2016; krebsonsec urity.com
/2016/09/krebsonsecurity-hit
-with-record-ddos.
3. D. Goodin , “Record-Breaking DDoS
Reportedly Delivered by >145K
Hacked Cameras,” Ars Technica, 28
Sept. 2016; arstechnica.com/sec urity
/2016/09/botnet-of-145k-cameras
-reportedly-deliver-internets-biggest
-ddos-ever.
4. J. Gamblin, “Mirai-Source-Code,”
GitHub; github.com/jgamblin/Mirai
-Source-Code/blob/master/Forum
Post.txt.
5. C. Cimpanu, “You Can Now Rent
a Mirai Botnet of 400,000 Bots,”
BleepingComputer.com, 24 Nov. 2016;
www.bleepingcomputer.com/news
/security/you-can-now-rent-a-mirai
-botnet-of-400-000-bots.
6. C. Wil liams, “Today the Web Was
Broken by Countless Hacked
Devices—Your 60-Second Summary,
The Register, 21 Oct. 2016; ww w
.theregister.co.uk/2016/10/21/dyn
_dns_ddos_explained.
7. E. Bertino and N. Isla m, “Botnets and
Internet of Things Security,Com-
puter, vol. 50, no. 2, 2017, pp. 7679.
8. K. Angrishi, “Turning I nternet of
Things (IoT) into Internet of Vul-
nerabilities (IoV): IoT Botnet s,” arXiv
preprint, 13 Feb. 2017, arXiv:1702
.03681.
9. B. Herzberg, D. Bekerman, and I.
Zeif man, “Breaking Down Mirai: An
IoT DDoS Botnet Analysis,” blog, Im-
perv a Incapsula, 26 Oct. 2016; ww w
.incapsula.com/blog/malware
-analysis-mirai-ddos-botnet.html.
10. S.S.C. Silva et al., “Botnet s: A
Survey,” Computer Network s, vol. 57,
no.2, 2013, pp. 378403.
11. Distr ibuted Denial of Ser vice (DDoS)
Threat R eport: Q4 2016, threat report
20170222-EN-A4, Nexusg uard, 2017;
news.nexusguard.com/threat
-advisories/q4-2016-ddos-threat
-report.
12. “New Mirai Worm K nocks 900K Ger-
mans Oine,” blog, KrebsOnScurity,
16 Nov. 2016; krebsonsecurity.com
/2016/11/new-mirai-worm-knock s
-900k-germans-oine.
13. D. Bekerman, “New Mirai Varia nt
Launches 54 Hour DDoS Attack
against US College,” blog, Imper va
Incapsula, 29 Mar. 2017; www
.incapsula.com/blog/new-mirai
-variant-ddos-us-college.html.
14. D. McMillen and M. Alva rez, “Mira i
IoT Botnet: Mi ning for Bitcoi ns?,”
Security Intelligence, 10 Apr. 2017;
securityintelligence.com/mirai-iot
-botnet-mining-for-bitcoins.
15. T. Yeh, D. Chiu, and K . Lu, “Persira i:
New Internet of Th ings (IoT) Botnet
Targets I P Cameras,” blog, Trend-
Labs, 9 May2017; blog.trendmicro
.com/trendlabs-secur ity-intelligence
/persirai-new-internet-things-iot
-botnet-targets-ip-cameras.
16. MMD-0057-2016-Linu s/LuaBot-IoT
Botnet as Service,” blog, Malware-
MustDie, 6 Sept. 2016; blog
.malwaremustdie.org/2016/09
/mmd-0057-2016-new-elf-botnet
-linuxluabot.html.
17. S. Edwa rds and I. Profetis, “H ajime:
Analysis of a Decentralized I nternet
Worm for IoT Devices,” Rapidity Net-
works; 16 Oct. 2016; security
.rapiditynetworks.com/publications
/2016-10-16/hajime.pdf.
18. P. Muncaster, “Mirai-Busti ng Hajime
Worm Could Be Work of White Hat,”
Infosecur ity Mag., 20 Apr. 2017; www
.infosecurit y-magazine.com/news
/mirai-busting-hajime-worm-could.
19. “‘BrickerBot’ Results in PDoS At-
tack,” Radware, 5 Apr. 2017; security
.radware.com/ddos-threats-attacks
/brickerbot-pdos-permanent-denial
-of-service.
20. C. Kolias, A. Stavrou, and J. Voas,
“Secu rely Making ‘Things’ Right,”
Computer, vol. 48, no. 9, 2015,
pp.8488.
CONSTANTINOS KOLIAS is a
research assistant professor in the
Department of Computer Science at
George Mason University as well as
lead engineer for the first IoT labora-
tory at NIST. Contact him at kkolias@
gmu.edu.
GEORGIOS KAMBOURAKIS is
an associate professor in the
Department of Information and
Communication Systems Security
and direc tor of the Laboratory of
Information and Communication
Systems Security (Info Sec Lab)
at the University of the Aegean.
Contac t him at gkamb@aegean.gr.
ANGELOS STAVROU is a professor
in the Department of Computer
Science and director of the Center
for Assurance Research and
Engineering (CARE) at George
Mason Universit y. Contact him at
astavrou@gmu.edu.
JEFFREY VOAS is a Fellow of
IEEE as well as of the American
Association for the Advancement of
Science (AAAS) and the Institution
of Engineering and Technology (IET ).
Contac t him at j.voas@ieee.org.
Read your s ubscriptio ns
through the myCS
publications por tal at
http://mycs.computer.org
... Um portscan (escaneamento de portas de comunicação) é utilizado para descobrir quais portas estão abertas e podem ser efetivamente atacadas, possibilitando ataques de força bruta para invadir um dispositivo. Em tais dispositivos muitas vezes são utilizadas senhas padrões de fábrica, o que torna mais fácil o ataque da botnet que, por meio de um ISSN: 2178-9959 dicionário de credenciais padrões, realiza testes até ganhar acesso ao dispositivo (ANTONAKAKIS et al., 2017;KOLIAS et al., 2017). ...
... Dentre a variedade de botnets existentes, nos trabalhos analisados foram encontradas 13: PsyBot, Chuck Norris, Carna, Aidra, Bashlite, Mirai, MyKings, Reaper, Hajime, Persirai, Satori, Mozi e Meris (ANTONAKAKIS et al., 2017;KOLIAS et al., 2017;HASSIJA et al., 2019;NESHENKO et al., 2019;ILASCU, 2021;BRANCO, 2021;TURING;WANG;YE, 2021;ELASTIC, 2021). O Gráfico 1 ilustra o número de botnets criadas por ano (2009 até 2021), juntamente com seus nomes. ...
... Além disso, ao infectar o dispositivo vulnerável, a Mirai fecha as portas de comunicação para que outros malwares ou vírus possam infectar. Também é válido ressaltar que com o lançamento público do código-fonte da Mirai o número de botnets cresceu consideravelmente, incentivando e potencializando a criação de diversas outras botnets, algumas mais perigosas que a Mirai, já outras, mais fracas ou inofensivas (KOLIAS et al., 2017;ANTONAKAKIS et al., 2017) botmaster emite um comando infect, que contendo todos os detalhes necessários para infectar os dispositivos alvo. • Etapa 5 (Binário Malicioso). ...
Conference Paper
A Internet das Coisas (ou Internet of Things - IoT) é uma interconexão digital de dispositivos comuns do dia a dia com a internet, ou seja, uma rede de dispositivos que transmitem dados. Assim como qualquer outro dispositivo conectado à internet, dispositivos que fazem parte da IoT também podem sofrer ataques maliciosos, como ataques por vírus ou malwares. Os ataques mais comuns e relatados mais frequentemente na literatura são os ataques de negação de serviço (ou Denial of Service – DoS) e negação de serviço distribuído (ou Distributed Denial of Service – DDoS), utilizando a botnet Mirai. Este trabalho tem como propósito apresentar um estudo sobre botnets, com destaque para a botnet Mirai, considerando alguns ataques no ambiente da IoT, vulnerabilidades, os métodos utilizados e as medidas de segurança que devem ser tomadas para mitigação dos riscos.
... These components are often not tested for existing vulnerabilities or enforcement of stateof-the-art security standards [2]. The consequence of these IoT vulnerabilities has resulted in compromise by adversaries affecting IoT devices from video cameras and smart locks to industrial safety systems [1], [3], [4], resulting in incidents of large-scale Distributed Denial-of-Service (DDoS) attacks [3], [5], [6]. Although the availability of security solutions in the market is rapidly increasing, without the enforcement of these mechanism within devices, the improvement in the security posture of IoT devices cannot be guaranteed. ...
... In the case of CC, the experience and the time needed to perform the evaluation is a major limitation even for TOEs that it is defined for. Additionally, the lack of flexibility in the scheme to handle VOLUME 4, 2016 5 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. ...
Article
Full-text available
The vulnerabilities in deployed IoT devices are a threat to critical infrastructure and user privacy. There is ample ongoing research and efforts to produce devices that are secure-by-design. However, these efforts are still far from translation into actual deployments. To address this, worldwide efforts towards IoT device and software certification have accelerated as a potential solution, including UK’s IoT assurance program, EU Cybersecurity Act and the US executive order 14028. In EU, the Cybersecurity Act was launched in 2019 which initiated the European cybersecurity certification framework for Internet and Communications Technology (ICT). The heterogeneity of the IoT landscape with devices ranging from industrial to consumer, makes it challenging to incorporate IoT devices in the certification framework or introduce a European cybersecurity certification scheme solely for IoT. This paper analyses the cybersecurity certification prospects for IoT devices and also places article 54 of the EU Cybersecurity Act in an international perspective. We conducted a comparative study of existing IoT certification schemes to identify potential gaps and extract requirements of a candidate IoT device security certification scheme. We also propose an approach that can be used as a template to instantiate an EU cybersecurity certification scheme for IoT devices. In the proposed template, we identify IoT-critical elements from the article 54 of the Cybersecurity Act. We also evaluate the proposed template using the ENISA qualification system for cybersecurity certification schemes and show its qualification on all criteria.
... This offers an opportunity to run complex tasks on IoT devices in a distributed fashion. However, IoT comes with many challenges or gaps that still need to be improved [4], such as the centralization of various IoT platforms, e.g., Amazon Web Services (AWS)-IoT, security and privacy issues concerning communication protocols as well as vulnerability to various attacks related to the poor maintenance of IoT infrastructures, e.g., Mirai [5]. ...
Article
Internet-of-Things (IoT), Artificial Intelligence (AI), and Blockchains (BCs) are essential techniques that are heavily researched and investigated today. This work here specifies, implements, and evaluates an IoT architecture with integrated BC and AI functionality to manage access control based on facial detection and recognition by incorporating the most recent state-of-the-art techniques. The system developed uses IoT devices for video surveillance, AI for face recognition, and BCs for immutable permanent storage to provide excellent properties in terms of image quality, end-to-end delay, and energy efficiency.
... Malware is used to infect CPS to gain/leak information or gain access to control systems to manipulate the entire functioning of CPS. Botnets (Mirai [23], Ramnit [24]) infect CPS devices turning them into zombies to initiate a DDoS attack on the control server, which is difficult to detect. Adversaries use spyware to reconnaissance and observe network systems by covert installation and fooling the device into thinking it is legitimate software. ...
Article
The exponential increase in IoT device usage has spawned numerous cyberspace innovations. IoT devices, sensors , and actuators bridge the gap between physical processes and the cyber network in a cyber-physical system (CPS). CPS is a complex system from a security perspective due to the heterogeneous nature of its components and the fact that IoT devices can serve as an entry point for cyberattacks. Most adversaries design their attack strategies on systems to gain an advantage at a relatively lower cost, whereas abusive adversaries initiate an attack to inflict maximum damage without regard to cost or reward. In this paper, a sensor spoofing attack is modelled as a malicious adversary attempting to cause system failure by interfering with the feedback control mechanism. It is accomplished by feeding spoofed sensor values to the controller and issuing erroneous commands to the actuator. Experiments on a Simulink-simulated linear CPS support the proof of concept for the proposed abusive ideology, demonstrating three attack strategies. The impact of the evaluations stresses the importance of testing the CPS security against adversaries with abusive settings for preventing cyber-vandalism. Finally, the research concludes by highlighting the limitations of the proposed work, followed by recommendations for the future.
... Cybercriminals are looking for new intrusion techniques. At present, common network attacks include SPoF [83], DDoS [84], MiTM [85], phishing [86], etc. These attacks will continue to exist in the IoB and need to be solved [87]. ...
Preprint
Full-text available
The Internet of Behavior is a research theme that aims to analyze human behavior data on the Internet from the perspective of behavioral psychology, obtain insights about human behavior, and better understand the intention behind the behavior. In this way, the Internet of Behavior can predict human behavioral trends in the future and even change human behavior, which can provide more convenience for human life. With the increasing prosperity of the Internet of Things, more and more behavior-related data is collected on the Internet by connected devices such as sensors. People and behavior are connected through the extension of the Internet of Things -- the Internet of Behavior. At present, the Internet of Behavior has gradually been applied to our lives, but it is still in its early stages, and many opportunities and challenges are emerging. This paper provides an in-depth overview of the fundamental aspects of the Internet of Behavior: (1) We introduce the development process and research status of the Internet of Behavior from the perspective of the Internet of Things. (2) We propose the characteristics of the Internet of Behavior and define its development direction in terms of three aspects: real-time, autonomy, and reliability. (3) We provide a comprehensive summary of the current applications of the Internet of Behavior, including specific discussions in five scenarios that give an overview of the application status of the Internet of Behavior. (4) We discuss the challenges of the Internet of Behavior's development and its future directions, which hopefully will bring some progress to the Internet of Behavior. To the best of our knowledge, this is the first survey paper on the Internet of Behavior. We hope that this in-depth review can provide some useful directions for more productive research in related fields.
Preprint
Full-text available
IoT is the fastest-growing technology with a wide range of applications in various domains. IoT devices generate data from a real-world environment every second and transfer it to the cloud due to the less storage at the edge site. An outsourced cloud is a solution for handling the storage problem. Users' privacy can be exposed by storing the data on the cloud. Therefore, we propose a Private Data Storage model that stores IoT data on the outsourced cloud with privacy preservation. Fog nodes are used at the edge side for data partition and encryption. Partitioned and encrypted data is aggregated with the help of homomorphic encryption on the outsourced cloud. For secure query processing and accessing the data from the outsourced cloud, the introduced model can be used on the outsourced cloud.
Chapter
The basics of Internet of Things (IoT) is the attribute of Internet of Objects, expected as a flexible strategy for giving several facilities. Condensed clever units create a critical phase of IoT. They vary extensively in practice, volume, service facility, and calculation strength. However, the incorporation of these clever matters in the widespread internetworking proposed IoT of safety threat due to the act the most internetwork technologies along with verbal exchange manners that had not been now designed to guide IoT. Furthermore, the trade of IoT has produced public safety matter, such as nonpublic secrecy issues, risk of cyber threats, and trained crime. Have guidelines or suggestions on the analysis of IoT security and contribute to improvement. This control offers full information of the open penetration and retrieval as opposed to the IoT edge side layer, which are done in three phases: edge nodes, transmission, and edge computing. The method to reach this target, first, we quickly define those popular IoT recommendation models and outline protection in the IoT's framework. We also talk about the feasible purposes of IoT and the inspiration of the intruder and set new goals in this new model. With such rise in IoT and with the advent of ongoing digital applications, huge amount of data is produced each and every day, leading to the emergence of the term big data. In this chapter, we will be collaborating the detailed security study in case of IoT and big data.
Chapter
IoT is rapidly developing technology to enhance the quality of human life with embedded technologies. IoT can control and access daily usable devices and equipment with an internet connection. Smart technology provides a connected infrastructure to heterogeneous devices like IP cameras, cell phones, cars, home appliances, and industrial equipment for autonomous communication and interaction. The great perspective of IoT infrastructure comes with more security challenges. The multiplication of IoT gadgets it can be more easily negotiated than personal computers has led to intensification in the IoT-based botnet attacks. These IoT devices need to ensure the security and privacy of sensitive information and network communication. In the public channel, an adversary can damage the transferred information for unauthorized activities on applications. To moderate this hazard, there is a necessity for new procedures that diagnose the threats dispatched from exchanged IoT appliances and that are dispersed amongst all IoT-based attacks. We discuss the bio-inspired-based attack discovery techniques for IoT botnet attacks and network traffic from hacked IoT gadgets. This paper aims to review the existing attack detection approaches that have been used to address the security issues on IoT applications. In this work, bio-inspired computing models were independently trained to detect and mitigate the Mirai botnet attacks on IoT applications. The bio-inspired computing framework shows the high accuracy and high detection rate over the IoT environment. And also we are exploring details of the bio-inspired models for improving security measures in different scenarios on smart technology.
Chapter
Agriculture has seen many revolutions since the booming Internet of Things (IoT) was embedded to enable the smart agriculture (SA) scenarios. SA integrates end devices, gateways and clouds to digitalize and automate traditional farming methods. Due to the open deployment and wide range accessibility, SA systems face a new attack surface that may lead to security and privacy concerns. It is expected that the cyber security and data science research communities will set off on constructing advanced technologies to safeguard this critical infrastructure, e.g., data-driven protection and AI-enabled defense.In this work, we set up an SA testbed named SATB that can facilitate SA dataset generation. SATB is designed to be extensible so that it is capable of incorporating sensors (e.g., SenseCAP sensors) and protocols (e.g., LoRaWAN) that are extensively adopted in real-world SA systems. To test the usability of SATB, we use it to create a comprehensive SA network dataset for research use. With SATB, our dataset can capture data that rigorously covers the whole lifecycle of SA scenarios, from the authentication stage to the runtime functioning stage. We design five typical test cases, and SATB can generate network traces based on them. SATB also supports generating attack traces of network reconnaissance and vulnerability scanning. We show the details of our dataset collection process on SATB and conduct a preliminary statistical analysis, to enlighten potential smart use of our testbed. The collected dataset is released online to facilitate related research: https://github.com/UQ-Trust-Lab/2022-SATB.KeywordsSmart agricultureLoRaWanNetworkTestbed
Article
Internet of Things (IoT) is the next big evolutionary step in the world of internet. The main intention behind the IoT is to enable safer living and risk mitigation on different levels of life. With the advent of IoT botnets, the view towards IoT devices has changed from enabler of enhanced living into Internet of vulnerabilities for cyber criminals. IoT botnets has exposed two different glaring issues, 1) A large number of IoT devices are accessible over public Internet. 2) Security (if considered at all) is often an afterthought in the architecture of many wide spread IoT devices. In this article, we briefly outline the anatomy of the IoT botnets and their basic mode of operations. Some of the major DDoS incidents using IoT botnets in recent times along with the corresponding exploited vulnerabilities will be discussed. We also provide remedies and recommendations to mitigate IoT related cyber risks and briefly illustrate the importance of cyber insurance in the modern connected world.
Article
Recent distributed denial-of-service attacks demonstrate the high vulnerability of Internet of Things (IoT) systems and devices. Addressing this challenge will require scalable security solutions optimized for the IoT ecosystem.
Article
The Internet of Things (IoT) promises to seamlessly bind the physical world to cyberinfrastructure, but the Internet's insecure design principles could lead to life-threatening consequences. It's time to make security an integral IoT design tenet.
Article
Botnets, which are networks formed by malware-compromised machines, have become a serious threat to the Internet. Such networks have been created to conduct large-scale illegal activities, even jeopardizing the operation of private and public services in several countries around the world. Although research on the topic of botnets is relatively new, it has been the subject of increasing interest in recent years and has spawned a growing number of publications. However, existing studies remain somewhat limited in scope and do not generally include recent research and developments. This paper presents a comprehensive review that broadly discusses the botnet problem, briefly summarizes the previously published studies and supplements these with a wide ranging discussion of recent works and solution proposals spanning the entire botnet research field. This paper also presents and discusses a list of the prominent and persistent research problems that remain open.
New Mirai Variant Launches 54 Hour DDoS Attack against US College
  • D Bekerman
D. Bekerman, "New Mirai Variant Launches 54 Hour DDoS Attack against US College," blog, Imperva Incapsula, 29 Mar. 2017; www .incapsula.com/blog/new-mirai -variant-ddos-us-college.html.
Mirai IoT Botnet: Mining for Bitcoins?,” Security Intelligence
  • D Mcmillen
  • M Alvarez
  • Mirai Iot Botnet
Today the Web Was Broken by Countless Hacked Devices-Your 60-Second Summary
  • C Williams
C. Williams, "Today the Web Was Broken by Countless Hacked Devices-Your 60-Second Summary," The Register, 21 Oct. 2016; www .theregister.co.uk/2016/10/21/dyn _dns_ddos_explained.
Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras
  • T Yeh
  • D Chiu
  • K Lu
Mirai-Busting Hajime Worm Could Be Work of White Hat
  • P Muncaster
P. Muncaster, "Mirai-Busting Hajime Worm Could Be Work of White Hat,"
Breaking Down Mirai: An IoT DDoS Botnet Analysis," blog, Imperva Incapsula
  • B Herzberg
  • D Bekerman
  • I Zeifman
B. Herzberg, D. Bekerman, and I. Zeifman, "Breaking Down Mirai: An IoT DDoS Botnet Analysis," blog, Imperva Incapsula, 26 Oct. 2016; www .incapsula.com/blog/malware -analysis-mirai-ddos-botnet.html.