Detecção de Botnets em Dispositivos IoT Utilizando Análise de Consultas DNS com One-class SVM
Resumo
A crescente proliferação de dispositivos IoT expandiu a superfície de ataque para botnets, que se utilizam de Algoritmos de Geração de Domínios (Domain Generation Algorithm - DGA) para uma comunicação evasiva, representando um desafio para a detecção. Propomos uma abordagem que analisa as características léxicas de domínios em consultas DNS com One-class SVM para detecção de atividade maliciosa em dispositivos IoT, permitindo o monitoramento em pontos de concentração da rede sem acesso direto aos dispositivos. Os resultados demonstraram alta eficácia, com acurácia de 99,42%, precisão de 99,99%, recall de 99,42% e taxa de falsos positivos de 5,45%; identificando com 100% de recall 17 das 25 famílias de DGA testadas.
Referências
Angrishi, K. (2017). Turning internet of things (IoT) into internet of vulnerabilities (IoV): IoT botnets. [link].
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Barabosch, T., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2012). Automatic extraction of domain name generation algorithms from current malware.
Bezerra, V. H., da Costa, V. G. T., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). One-class classification to detect botnets in IoT devices. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 43–56, Porto Alegre, RS, Brasil. SBC.
Cucchiarelli, A., Morbidoni, C., Spalazzi, L., and Baldi, M. (2021). Algorithmically generated malicious domain names detection based on n-grams features. Expert Systems with Applications, 170:114551.
Drichel, A., Meyer, M., and Meyer, U. (2024). Towards robust domain generation algorithm classification. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 2–18. ACM.
Global Research & Analysis Team (2023). Emotet, darkgate, lokibot: crimeware report. [link].
Home Assistant (2018). Home assistant operating system. [link]. Acessado em: 08 de abril de 2025.
Hooshmand, M. K., Huchaiah, M. D., Alzighaibi, A. R., Hashim, H., Atlam, E.-S., and Gad, I. (2024). Robust network anomaly detection using ensemble learning approach and explainable artificial intelligence (xai). Alexandria Engineering Journal, 94:120–130.
Kelley, S. (2001). Dnsmasq. [link]. Acessado em: 09 de abril de 2025.
Krekel, H., Oliveira, B., Pfannschmidt, R., Bruynooghe, F., Laugher, B., and Bruhin, F. (2004). pytest 8.3. [link].
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409.
Ministério da Defesa (2023). Doutrina militar de defesa cibernética. (MD31-M-07). Acessado em: 10 de abril de 2025.
Măries, , I. C. (2014). pytest-benchmark. [link].
NumPy Developers (2005). Numpy: The fundamental package for scientific computing with python. [link].
Plohmann, D., Yakdan, K., Klatt, M., and Bader, J. (2016). A comprehensive measurement study of domain generating malware. In 25th USENIX Security Symposium (USENIX Security 16).
Python Core Team (2001). Python: A dynamic, open source programming language. Python Software Foundation.
Raspberry Pi Trading Ltd. (2019). Raspberry pi 4 model b datasheet. [link]. Acessado em: 14 de abril de 2025.
Schüppen, S., Teubert, D., Herrmann, P., and Meyer, U. (2018). FANCI : Feature-based automated NXDomain classification and intelligence. In 27th USENIX Security Symposium (USENIX Security 18), pages 1165–1181, Baltimore, MD. USENIX Association.
Schölkopf, B., Platt, J. C., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (2001). Estimating the support of a high-dimensional distribution. Neural Computation, 13(7):1443–1471.
scikit-learn Developers (2007). scikit-learn: machine learning in python. [link].
Shulmin, A. (2015). The banking trojan emotet: Detailed analysis. [link].
Skuratovich, S. (2015). Matsnu: A deep dive. [link].
The Pandas Development Team (2008). pandas: powerful python data analysis toolkit. [link].
Varoquaux, G. (2008). Joblib. [link].
Whitmore, A., Agarwal, A., and Da Xu, L. (2015). The internet of things—a survey of topics and trends. Information Systems Frontiers, 17(2):261–274.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Barabosch, T., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2012). Automatic extraction of domain name generation algorithms from current malware.
Bezerra, V. H., da Costa, V. G. T., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). One-class classification to detect botnets in IoT devices. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 43–56, Porto Alegre, RS, Brasil. SBC.
Cucchiarelli, A., Morbidoni, C., Spalazzi, L., and Baldi, M. (2021). Algorithmically generated malicious domain names detection based on n-grams features. Expert Systems with Applications, 170:114551.
Drichel, A., Meyer, M., and Meyer, U. (2024). Towards robust domain generation algorithm classification. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 2–18. ACM.
Global Research & Analysis Team (2023). Emotet, darkgate, lokibot: crimeware report. [link].
Home Assistant (2018). Home assistant operating system. [link]. Acessado em: 08 de abril de 2025.
Hooshmand, M. K., Huchaiah, M. D., Alzighaibi, A. R., Hashim, H., Atlam, E.-S., and Gad, I. (2024). Robust network anomaly detection using ensemble learning approach and explainable artificial intelligence (xai). Alexandria Engineering Journal, 94:120–130.
Kelley, S. (2001). Dnsmasq. [link]. Acessado em: 09 de abril de 2025.
Krekel, H., Oliveira, B., Pfannschmidt, R., Bruynooghe, F., Laugher, B., and Bruhin, F. (2004). pytest 8.3. [link].
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409.
Ministério da Defesa (2023). Doutrina militar de defesa cibernética. (MD31-M-07). Acessado em: 10 de abril de 2025.
Măries, , I. C. (2014). pytest-benchmark. [link].
NumPy Developers (2005). Numpy: The fundamental package for scientific computing with python. [link].
Plohmann, D., Yakdan, K., Klatt, M., and Bader, J. (2016). A comprehensive measurement study of domain generating malware. In 25th USENIX Security Symposium (USENIX Security 16).
Python Core Team (2001). Python: A dynamic, open source programming language. Python Software Foundation.
Raspberry Pi Trading Ltd. (2019). Raspberry pi 4 model b datasheet. [link]. Acessado em: 14 de abril de 2025.
Schüppen, S., Teubert, D., Herrmann, P., and Meyer, U. (2018). FANCI : Feature-based automated NXDomain classification and intelligence. In 27th USENIX Security Symposium (USENIX Security 18), pages 1165–1181, Baltimore, MD. USENIX Association.
Schölkopf, B., Platt, J. C., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (2001). Estimating the support of a high-dimensional distribution. Neural Computation, 13(7):1443–1471.
scikit-learn Developers (2007). scikit-learn: machine learning in python. [link].
Shulmin, A. (2015). The banking trojan emotet: Detailed analysis. [link].
Skuratovich, S. (2015). Matsnu: A deep dive. [link].
The Pandas Development Team (2008). pandas: powerful python data analysis toolkit. [link].
Varoquaux, G. (2008). Joblib. [link].
Whitmore, A., Agarwal, A., and Da Xu, L. (2015). The internet of things—a survey of topics and trends. Information Systems Frontiers, 17(2):261–274.
Publicado
01/09/2025
Como Citar
ADJI, Luciano Hanna El; CUNHA, Luís Felipe Ignácio; MACHADO, Raphael Carlos Santos.
Detecção de Botnets em Dispositivos IoT Utilizando Análise de Consultas DNS com One-class SVM. In: SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 322-338.
DOI: https://doi.org/10.5753/sbseg.2025.10634.
