BOTA: Explainable IoT Malware Detection in Large Networks

článek v časopise ve Web of Science, Jimp

angličtina

Explainability and alert reasoning are essential but often neglected properties of intrusion detection systems. The lack of explainability reduces security personnel's trust, limiting the overall impact of alerts. This article proposes the botnet analysis (BOTA) system, which uses the concepts of weak indicators and heterogeneous meta-classifiers to maintain accuracy compared with state-of-the-art systems while also providing explainable results that are easy to understand. To evaluate the proposed system, we have implemented a demonstration of intrusion weak-indication detectors, each working on a different principle to ensure robustness. We tested the architecture with various real-world and lab-created data sets, and it correctly identified 94.3% of infected Internet of Things (IoT) devices without false positives. Furthermore, the implementation is designed to work on top of extended bidirectional flow data, making it deployable on large 100-Gb/s large-scale networks at the level of Internet Service Providers. Thus, a single instance of BOTA can protect millions of devices connected to end-users' local networks and significantly reduce the threat arising from powerful IoT botnets.

detection, explainability, Internet of Things (IoT), malware, network monitoring, network security, weak indicators

POLIAKOV, D.; HYNEK, K.; ČEJKA, T.; KOLÁŘ, D.

15. 5. 2023

Institute of Electrical and Electronics Engineers

Piscataway

2327-4662

IEEE Internet of Things Journal

10

10

Spojené státy americké

8416

8431

15

https://ieeexplore.ieee.org/document/9983820