Skip to main content
SpringerLink
Log in

A study of IoT malware activities using association rule learning for darknet sensor data

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Along with the proliferation of Internet of Things (IoT) devices, cyberattacks towards these devices are on the rise. In this paper, we present a study on applying Association Rule Learning to discover the regularities of these attacks from the big stream data collected on a large-scale darknet. By exploring the regularities in IoT-related indicators such as destination ports, type of service, and TCP window sizes, we succeeded in discovering the activities of attacking hosts associated with well-known classes of malware programs. As a case study, we report an interesting observation of the attack campaigns before and after the first source code release of the well-known IoT malware Mirai. The experiments show that the proposed scheme is effective and efficient in early detection and tracking of activities of new malware on the Internet and hence induces a promising approach to automate and accelerate the identification and mitigation of new cyber threats.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Ban, T., Eto, M., Guo, S., Inoue, D., Nakao, K., Huang, R.: A study on association rule mining of darknet big data. In: Proceedings of International Joint Conference on Neural Networks, pp. 1–7 (2015)

  2. Ban, T., Pang, S., Eto, M., Inoue, D., Nakao, K., Huang, R.: Towards early detection of novel attack patterns through the lens of a large-scale darknet. In: Proceedings of 2016 International IEEE Conferences on Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress, pp. 341–349 (2016)

  3. Stocker, C., Horchert, J.: Mapping the Internet: A Hacker’s Secret Internet Census. Spiegel Online GmbH, Hamburg (2013)

    Google Scholar 

  4. Malecot, E.L., Inoue, D.: The Carna botnet through the lens of a network telescope. In: Danger, J., et al. (eds.) Foundations and Practice of Security, LNCS, vol. 8352, pp. 426–441. Springer, Berlin (2014)

    Chapter  Google Scholar 

  5. Agrawal, R., Imielinski, T., Swami, A.: Mining association rules between sets of items in large databases. ACM SIGMOD Rec. 22(2), 207–216 (1993)

    Article  Google Scholar 

  6. Han, J., Pei, J., Yin, Y.: Mining frequent patterns without candidate generation. ACM SIGMOD Rec. 29(2), 1–12 (2000)

    Article  Google Scholar 

  7. Han, J., Mao, P.Y.: Mining frequent patterns without candidate generation: a frequent-pattern tree approach. Data Min. Knowl. Discov. 8(1), 53–87 (2004)

    Article  MathSciNet  Google Scholar 

  8. Borgelt, C.: Frequent item set mining. Data Min. Knowl. Discov. 2(6), 437–456 (2012)

    Article  Google Scholar 

  9. https://nvd.nist.gov/

  10. Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. IETF RFC 2119 (1998)

  11. Grossman, D.: New terminology and clarifications for diffserv. IETF RFC 3260 (2002)

  12. Babiarz, J., Chan, K., Baker, F.: Configuration guidelines for diffserv service classes. IETF RFC 4594 (2006)

  13. Introduction to Cisco IOS NetFlow—a technical overview, White Papers, Cisco, updated May (2012)

  14. Thing, V.L., Sloman, M., Dulay, N.: A Survey of Bots Used for Distributed Denial of Service Attacks. New Approaches for Security, Privacy and Trust in Complex Environments, pp. 229–240. Springer, Boston (2007)

    Google Scholar 

  15. Jacobson, V., Braden, R., Borman, D.: TCP extensions for high performance. IETF RFC 1323 (1992)

  16. Microsoft Windows TCP/IP Connection Exhaustion Denial of Service Vulnerability, Cisco Mulitivendor Vulnerability Alerts, Alert ID: 18959, CVE-2009-1926 (2009)

  17. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: Proceedings of 26th USENIX Security Symposium, pp. 1093–1110 (2017)

  18. http://data.netlab.360.com/mirai-scanner/

Download references

Funding

This research was funded by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Scientific Research (B) 16H02874 and the Commissioned Research of National Institute of Information and Communications Technology (NICT), JAPAN. Seiichi Ozawa has received research grants from Daiwa SB Investments ltd., LAPIS Semiconductor Co., Ltd., Mitsubishi Heavy Industries, Ltd., and Fujitsu Laboratories, Ltd.

Author information

Authors and Affiliations

  1. Kobe University, 1-1 Rokko-dai, Nada-ku, Kobe, Hyogo, 657-8501, Japan

    Seiichi Ozawa & Naoki Hashimoto

  2. National Institute of Information and Communications Technology, Koganei, Tokyo, Japan

    Tao Ban

  3. Fujitsu Limited, Kawasaki, Kanagawa, Japan

    Junji Nakazato

  4. clwit Inc., Shinagawa-ku, Tokyo, Japan

    Jumpei Shimamura

Authors
  1. Seiichi Ozawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tao Ban
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Naoki Hashimoto
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junji Nakazato
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jumpei Shimamura
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Seiichi Ozawa.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ozawa, S., Ban, T., Hashimoto, N. et al. A study of IoT malware activities using association rule learning for darknet sensor data. Int. J. Inf. Secur. 19, 83–92 (2020). https://doi.org/10.1007/s10207-019-00439-w

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00439-w

Keywords

Search

Navigation