Botnet Detection on IoT Devices Using DNS Query Analysis with One-Class SVM
Abstract
The growing proliferation of IoT devices has expanded the attack surface for botnets, which use Domain Generation Algorithms (DGA) for evasive communication, posing a challenge for detection. We propose an approach that analyzes the lexical characteristics of domains in DNS queries with One-class SVM for detecting malicious activity in IoT devices, allowing for monitoring at network concentration points without direct access to the devices. The results demonstrated high effectiveness, with an accuracy of 99.42%, precision of 99.99%, recall of 99.42%, and a false positive rate of 5.45%; identifying 17 of the 25 tested DGA families with 100% recall.
References
Angrishi, K. (2017). Turning internet of things (IoT) into internet of vulnerabilities (IoV): IoT botnets. [link].
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Barabosch, T., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2012). Automatic extraction of domain name generation algorithms from current malware.
Bezerra, V. H., da Costa, V. G. T., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). One-class classification to detect botnets in IoT devices. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 43–56, Porto Alegre, RS, Brasil. SBC.
Cucchiarelli, A., Morbidoni, C., Spalazzi, L., and Baldi, M. (2021). Algorithmically generated malicious domain names detection based on n-grams features. Expert Systems with Applications, 170:114551.
Drichel, A., Meyer, M., and Meyer, U. (2024). Towards robust domain generation algorithm classification. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 2–18. ACM.
Global Research & Analysis Team (2023). Emotet, darkgate, lokibot: crimeware report. [link].
Home Assistant (2018). Home assistant operating system. [link]. Acessado em: 08 de abril de 2025.
Hooshmand, M. K., Huchaiah, M. D., Alzighaibi, A. R., Hashim, H., Atlam, E.-S., and Gad, I. (2024). Robust network anomaly detection using ensemble learning approach and explainable artificial intelligence (xai). Alexandria Engineering Journal, 94:120–130.
Kelley, S. (2001). Dnsmasq. [link]. Acessado em: 09 de abril de 2025.
Krekel, H., Oliveira, B., Pfannschmidt, R., Bruynooghe, F., Laugher, B., and Bruhin, F. (2004). pytest 8.3. [link].
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409.
Ministério da Defesa (2023). Doutrina militar de defesa cibernética. (MD31-M-07). Acessado em: 10 de abril de 2025.
Măries, , I. C. (2014). pytest-benchmark. [link].
NumPy Developers (2005). Numpy: The fundamental package for scientific computing with python. [link].
Plohmann, D., Yakdan, K., Klatt, M., and Bader, J. (2016). A comprehensive measurement study of domain generating malware. In 25th USENIX Security Symposium (USENIX Security 16).
Python Core Team (2001). Python: A dynamic, open source programming language. Python Software Foundation.
Raspberry Pi Trading Ltd. (2019). Raspberry pi 4 model b datasheet. [link]. Acessado em: 14 de abril de 2025.
Schüppen, S., Teubert, D., Herrmann, P., and Meyer, U. (2018). FANCI : Feature-based automated NXDomain classification and intelligence. In 27th USENIX Security Symposium (USENIX Security 18), pages 1165–1181, Baltimore, MD. USENIX Association.
Schölkopf, B., Platt, J. C., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (2001). Estimating the support of a high-dimensional distribution. Neural Computation, 13(7):1443–1471.
scikit-learn Developers (2007). scikit-learn: machine learning in python. [link].
Shulmin, A. (2015). The banking trojan emotet: Detailed analysis. [link].
Skuratovich, S. (2015). Matsnu: A deep dive. [link].
The Pandas Development Team (2008). pandas: powerful python data analysis toolkit. [link].
Varoquaux, G. (2008). Joblib. [link].
Whitmore, A., Agarwal, A., and Da Xu, L. (2015). The internet of things—a survey of topics and trends. Information Systems Frontiers, 17(2):261–274.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Barabosch, T., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2012). Automatic extraction of domain name generation algorithms from current malware.
Bezerra, V. H., da Costa, V. G. T., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). One-class classification to detect botnets in IoT devices. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 43–56, Porto Alegre, RS, Brasil. SBC.
Cucchiarelli, A., Morbidoni, C., Spalazzi, L., and Baldi, M. (2021). Algorithmically generated malicious domain names detection based on n-grams features. Expert Systems with Applications, 170:114551.
Drichel, A., Meyer, M., and Meyer, U. (2024). Towards robust domain generation algorithm classification. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 2–18. ACM.
Global Research & Analysis Team (2023). Emotet, darkgate, lokibot: crimeware report. [link].
Home Assistant (2018). Home assistant operating system. [link]. Acessado em: 08 de abril de 2025.
Hooshmand, M. K., Huchaiah, M. D., Alzighaibi, A. R., Hashim, H., Atlam, E.-S., and Gad, I. (2024). Robust network anomaly detection using ensemble learning approach and explainable artificial intelligence (xai). Alexandria Engineering Journal, 94:120–130.
Kelley, S. (2001). Dnsmasq. [link]. Acessado em: 09 de abril de 2025.
Krekel, H., Oliveira, B., Pfannschmidt, R., Bruynooghe, F., Laugher, B., and Bruhin, F. (2004). pytest 8.3. [link].
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409.
Ministério da Defesa (2023). Doutrina militar de defesa cibernética. (MD31-M-07). Acessado em: 10 de abril de 2025.
Măries, , I. C. (2014). pytest-benchmark. [link].
NumPy Developers (2005). Numpy: The fundamental package for scientific computing with python. [link].
Plohmann, D., Yakdan, K., Klatt, M., and Bader, J. (2016). A comprehensive measurement study of domain generating malware. In 25th USENIX Security Symposium (USENIX Security 16).
Python Core Team (2001). Python: A dynamic, open source programming language. Python Software Foundation.
Raspberry Pi Trading Ltd. (2019). Raspberry pi 4 model b datasheet. [link]. Acessado em: 14 de abril de 2025.
Schüppen, S., Teubert, D., Herrmann, P., and Meyer, U. (2018). FANCI : Feature-based automated NXDomain classification and intelligence. In 27th USENIX Security Symposium (USENIX Security 18), pages 1165–1181, Baltimore, MD. USENIX Association.
Schölkopf, B., Platt, J. C., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (2001). Estimating the support of a high-dimensional distribution. Neural Computation, 13(7):1443–1471.
scikit-learn Developers (2007). scikit-learn: machine learning in python. [link].
Shulmin, A. (2015). The banking trojan emotet: Detailed analysis. [link].
Skuratovich, S. (2015). Matsnu: A deep dive. [link].
The Pandas Development Team (2008). pandas: powerful python data analysis toolkit. [link].
Varoquaux, G. (2008). Joblib. [link].
Whitmore, A., Agarwal, A., and Da Xu, L. (2015). The internet of things—a survey of topics and trends. Information Systems Frontiers, 17(2):261–274.
Published
2025-09-01
How to Cite
ADJI, Luciano Hanna El; CUNHA, Luís Felipe Ignácio; MACHADO, Raphael Carlos Santos.
Botnet Detection on IoT Devices Using DNS Query Analysis with One-Class SVM. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 322-338.
DOI: https://doi.org/10.5753/sbseg.2025.10634.
