Abstract
Along with the proliferation of Internet of Things (IoT) devices, cyberattacks towards these devices are on the rise. In this paper, we present a study on applying Association Rule Learning to discover the regularities of these attacks from the big stream data collected on a large-scale darknet. By exploring the regularities in IoT-related indicators such as destination ports, type of service, and TCP window sizes, we succeeded in discovering the activities of attacking hosts associated with well-known classes of malware programs. As a case study, we report an interesting observation of the attack campaigns before and after the first source code release of the well-known IoT malware Mirai. The experiments show that the proposed scheme is effective and efficient in early detection and tracking of activities of new malware on the Internet and hence induces a promising approach to automate and accelerate the identification and mitigation of new cyber threats.
Similar content being viewed by others
References
Ban, T., Eto, M., Guo, S., Inoue, D., Nakao, K., Huang, R.: A study on association rule mining of darknet big data. In: Proceedings of International Joint Conference on Neural Networks, pp. 1–7 (2015)
Ban, T., Pang, S., Eto, M., Inoue, D., Nakao, K., Huang, R.: Towards early detection of novel attack patterns through the lens of a large-scale darknet. In: Proceedings of 2016 International IEEE Conferences on Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress, pp. 341–349 (2016)
Stocker, C., Horchert, J.: Mapping the Internet: A Hacker’s Secret Internet Census. Spiegel Online GmbH, Hamburg (2013)
Malecot, E.L., Inoue, D.: The Carna botnet through the lens of a network telescope. In: Danger, J., et al. (eds.) Foundations and Practice of Security, LNCS, vol. 8352, pp. 426–441. Springer, Berlin (2014)
Agrawal, R., Imielinski, T., Swami, A.: Mining association rules between sets of items in large databases. ACM SIGMOD Rec. 22(2), 207–216 (1993)
Han, J., Pei, J., Yin, Y.: Mining frequent patterns without candidate generation. ACM SIGMOD Rec. 29(2), 1–12 (2000)
Han, J., Mao, P.Y.: Mining frequent patterns without candidate generation: a frequent-pattern tree approach. Data Min. Knowl. Discov. 8(1), 53–87 (2004)
Borgelt, C.: Frequent item set mining. Data Min. Knowl. Discov. 2(6), 437–456 (2012)
Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. IETF RFC 2119 (1998)
Grossman, D.: New terminology and clarifications for diffserv. IETF RFC 3260 (2002)
Babiarz, J., Chan, K., Baker, F.: Configuration guidelines for diffserv service classes. IETF RFC 4594 (2006)
Introduction to Cisco IOS NetFlow—a technical overview, White Papers, Cisco, updated May (2012)
Thing, V.L., Sloman, M., Dulay, N.: A Survey of Bots Used for Distributed Denial of Service Attacks. New Approaches for Security, Privacy and Trust in Complex Environments, pp. 229–240. Springer, Boston (2007)
Jacobson, V., Braden, R., Borman, D.: TCP extensions for high performance. IETF RFC 1323 (1992)
Microsoft Windows TCP/IP Connection Exhaustion Denial of Service Vulnerability, Cisco Mulitivendor Vulnerability Alerts, Alert ID: 18959, CVE-2009-1926 (2009)
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: Proceedings of 26th USENIX Security Symposium, pp. 1093–1110 (2017)
Funding
This research was funded by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Scientific Research (B) 16H02874 and the Commissioned Research of National Institute of Information and Communications Technology (NICT), JAPAN. Seiichi Ozawa has received research grants from Daiwa SB Investments ltd., LAPIS Semiconductor Co., Ltd., Mitsubishi Heavy Industries, Ltd., and Fujitsu Laboratories, Ltd.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Ozawa, S., Ban, T., Hashimoto, N. et al. A study of IoT malware activities using association rule learning for darknet sensor data. Int. J. Inf. Secur. 19, 83–92 (2020). https://doi.org/10.1007/s10207-019-00439-w
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-019-00439-w