| 引用本文: |
-
周纸墨,邹福泰,姜开达,康学斌.FC-Bot:基于流点聚合的轻量级物联网僵尸网络检测方法[J].信息安全学报,已采用 [点击复制]
- Zhou Zhimo,Zou Futai,Jiang Kaida,Kang Xuebin.FC-Bot: A Lightweight IoT Botnet Detection Method Based on Flow Point Clustering[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着物联网时代的到来,物联网设备快速增长,然而这也为物联网攻击创造了有利条件。其中,僵尸网络作为一种具有极高威胁和破坏力的攻击形式,迫切需要一种高效的物联网僵尸网络检测方案。然而,实时流量的巨大体量给检测带来了巨大挑战。因此,本文提出了一种名为FC-Bot的基于流点聚合的轻量级物联网僵尸网络检测方法,在保护隐私的同时实现了轻量级的检测。FC-Bot创新性地引入了流聚合模块,通过结合HDBSCAN算法将网络流转换为事务,从更高维度检测物联网僵尸网络。首先,根据源IP地址和目标IP地址对流数据进行预分组,然后将每个分组的流数据按照时间窗口切割为流点,再利用HDBSCAN算法将这些流点聚合为事务。通过这种方式,我们有效地解决了流数据的时间统一问题,并能够将聚合后的行为达到集体性级别,从事务的角度区分正常流量和僵尸网络流量。最后,我们提取事务特征指纹并将其转化为指纹图像,使用卷积神经网络进行检测和分类。在收集整理的公开数据集上的评估实验中,FC-Bot实现了95.04%的F1值,证明了该方案的有效性。与目前先进的四种检测方案相比,FC-Bot的误报率仅为3.06%,改善了最高达4.30%,具有更大的优势。此外,在真实场景的评估实验中,FC-Bot也实现了92.59%的F1值,为物联网僵尸网络提供了一种轻量级且有效的检测方案。 |
| 关键词: 物联网 僵尸网络 轻量级 流聚合 特征指纹 |
| DOI: |
| 投稿时间:2023-03-21修订日期:2023-05-29 |
| 基金项目:国家重点基础研究发展计划(973计划) |
|
| FC-Bot: A Lightweight IoT Botnet Detection Method Based on Flow Point Clustering |
|
Zhou Zhimo1, Zou Futai1, Jiang Kaida1, Kang Xuebin2
|
| (1.Shanghai Jiao Tong University;2.Shenzhen Antiy Network Security Technology Co., Ltd) |
| Abstract: |
| With the advent of the Internet of Things (IoT) era, there has been a rapid proliferation of IoT devices. However, this growth has also created a fertile breeding ground for IoT attacks. Among them, botnets pose a significant risk with their high level of threat and potential for destruction, demanding an efficient detection solution for IoT botnet. However, the immense volume of real-time traffic presents a major challenge to detection. Therefore, we propose a lightweight IoT botnet detection method called FC-Bot based on flow point aggregation, which not only achieves lightweight detection but also ensures privacy preservation. FC-Bot innovatively introduces a flow aggregation module that transforms network flows into transactions by combining the HDBSCAN algorithm, enabling the detection of IoT botnet from a higher-dimensional perspective. Firstly, flow data is pre-grouped based on source and destination IP addresses, and each group is divided into flow points according to a time window. These flow points are then aggregated into transactions using the HDBSCAN algorithm. This approach effectively addresses the issue of time synchronization for flow data and enables the aggregated behavior to reach a collective level, facilitating the differentiation between normal traffic and botnet traffic from a transactional perspective. Finally, we extract feature fingerprints from these transactions and convert them into fingerprint images, which are then subjected to classification using convolutional neural network (CNN) for detection purposes. In the evaluation experiments conducted on publicly available datasets, FC-Bot achieved an impressive F1 value of 95.04%, demonstrating the effectiveness of our proposed solution. Compared to four advanced detection methods, FC-Bot exhibited a low false alarm rate of only 3.06% and achieved a maximum improvement of up to 4.30%, indicating its superior performance. Additionally, in real-world scenario evaluations, FC-Bot achieved an F1 value of 92.59%, providing a lightweight and effective detection solution for the IoT botnet. |
| Key words: Internet of Things, botnet, lightweight, stream aggregation, feature fingerprint |
