<p>Internet of things (IoT) devices are widely exploited by botnets and other cyberattacks to carry out various malicious activities. Traditional detection methods focus on specific device types or attack patterns and have limited coverage. In this paper, we propose a novel detection model for compromised IoT devices based on heterogeneous information networks (HINs), which can detect compromised IoT devices across different device types and attack scenarios. The model takes full advantage of the structural and semantic information in IoT SIM card logs, modeling IoT device communication as a HIN that includes different types of entities such as IoT devices, URLs, IPs, and domain names. We design meta-paths based on factors such as overlapping communication IPs, URL similarity, and reuse of network infrastructure to quantify the similarity between IoT devices. Using the similarity matrix of IoT devices and a small fraction of labeled data, we apply a label propagation algorithm to detect compromised IoT devices. We thoroughly evaluate and validate the model using a manually constructed dataset and raw data from a real-world network, demonstrating the effectiveness of our approach to real-world data. Experimental results show that, based on 30% labeled data, our method achieves an F1 score of 0.9481 on the manually constructed dataset, and an accuracy of 0.9935 on the real-world dataset.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

HIoT: heterogeneous information network based compromised IoT device detection

  • Meng Luo,
  • Jianrong Zhang,
  • Kai Zhou,
  • Xinyan Wang,
  • Cheng Yu,
  • Baojiang Cui,
  • Xinjing Yuan

摘要

Internet of things (IoT) devices are widely exploited by botnets and other cyberattacks to carry out various malicious activities. Traditional detection methods focus on specific device types or attack patterns and have limited coverage. In this paper, we propose a novel detection model for compromised IoT devices based on heterogeneous information networks (HINs), which can detect compromised IoT devices across different device types and attack scenarios. The model takes full advantage of the structural and semantic information in IoT SIM card logs, modeling IoT device communication as a HIN that includes different types of entities such as IoT devices, URLs, IPs, and domain names. We design meta-paths based on factors such as overlapping communication IPs, URL similarity, and reuse of network infrastructure to quantify the similarity between IoT devices. Using the similarity matrix of IoT devices and a small fraction of labeled data, we apply a label propagation algorithm to detect compromised IoT devices. We thoroughly evaluate and validate the model using a manually constructed dataset and raw data from a real-world network, demonstrating the effectiveness of our approach to real-world data. Experimental results show that, based on 30% labeled data, our method achieves an F1 score of 0.9481 on the manually constructed dataset, and an accuracy of 0.9935 on the real-world dataset.