-

Technique for IoT Cyberattacks Detection Based on DNS Traffic Analysis

0 Khmelnitsky National University , Khmelnitsky , Ukraine 1 Silesian University of Technology

0000 0002

The dynamic growth of the number of cyberattacks, which perform destructive against the IoT devices, forces the developers of anti-virus software to implement new methods and algorithms for their search and disposal. The existing statistics prove the need of the novel cyberattacks detection approaches development. The paper presents a new technique for IoT cyberattacks detection based on DNS traffic analysis is presented. The method allows detecting IoT botnet cyberattacks. The method has the heuristic and proactive nature. It is based on the gathering of the set of features that may indicate the IoT cyberattacks presence. The mechanism of attack detection system is based on the cyberattacks' features gathering from network and feature vectors construction. As the classification algorithms a semi-supervised fuzzy c-means clustering, SVM and Artificial Immune System classification algorithms were employed.

Internet of Things Cyberattack DNS Network traffic Network Cybersecurity Computer system Host Malicious traffic Attacks Detection

Every year, new types of devices are used in the Internet of Things (IoT) market: home automation, smart cities, medicine, and agriculture. The devices’ firmware is being developed without taking into account the latest cybersecurity requirements [ 1 ] and, many IoT devices manufacturers are striving to make their products as cheap and expedite as possible by simplifying security features [ 2 ].

Despite the small computing power of individual IoT devices, their sheer number, combined into a single malicious bot-managed network, poor security (or even lack thereof) and permanent Internet connection make them a convenient tool for organizing powerful cyberattacks [ 1 ].

Malicious traffic volume generated by IoT botnets is usually much higher than the of botnet’ traffic volume generated from personal computers [ 3 ].

Thus, cyberattacks against the IoT devices are a major important cybersecurity problem because they are difficult to detect, localize and mitigate [ 3 ]. 2

Related work

In [ 4 ] various IoT botnet detection approaches are discussed. In [ 5 ] the Rustock IoT botnet which employs the evasion technique fast-flux to communicate with its bots and command and control (C&C) centers is investigated. For its detection the set of features were analyzed and number of classifiers were used.

In paper [ 6 ] an approach for botnet detecting of the on activity within consumer IoT devices and networks was presented. As a tool of making conclusion the kind of neural network (with the bidirectional long short term memory) was involved. As a tool of the communication detection between attackers the word embedding packets were employed. The proposed technique was compared with other ones, based on the usage of other kinds of neural networks. In order to determine the effectiveness of the detection, the Mirai IoT botnet was used. Experimental results demonstrated that the bidirectional approach increased the detection time, but improved its efficiency.

In [ 7 ] the functioning of the Mirai IoT bontet is presented. It is also demonstrated an approach for its detection using the network analysis.

In [ 8 ] a new behavior-based approach for DDoS detection in IoT network traffic was presented. It describes the specific IoT network’s features, that may indicate the attacks presence in the network.

In [ 9 ] a novel IDS able to detect DNS IoT botnets’ attacks. It is an effective mitigation tool against the attacks performed by the IoT botnets. Technique involves the detection of IoT attacks that employ DNS, HTTP and MQTT protocols. It is based on statistical processing and uses machine such learning algorithms as Artificial Neural Network, Naive Bayes, and decision tree. The experimental cases with usage of the known botnet datasets were presented.

In [ 10 ] a new approach IoT botnet DDoS attack detection which is able to mitigate the cyberattacks is presented. It is an event management-based approach and enables the possibility of the DDoS attack blocking. Approach monitors the network traffic concerning the compromised IoT devices taking into account specific network features.

In [ 11 ] a novel IoT botnet detecting approach based on the usage of the machine learning algorithms is presented. It is able to identify the botnet cyberattacks performed using the infected IoT devices. The detection process involved the “Grey Wolf” algorithm as well as the SVM and demonstrated promising results.

In [ 12 ] the aspects of the IoT cybersecurity concerning the smart cities infrastructure are presented. Furthermore, a new anomaly-based technique for the IoT attacks detection is proposed. It uses the Random Forest algorithms and demonstrated good detection effectively concerning infected IoT devices.

In [ 13 ] a new technique for DDoS detection was presented. It described the infected IoT devices’ network traffic generation. Based on this, a new approach for anomaly detection was produced.

Nevertheless, the mentioned above approaches have common drawbacks: they don’t take into account a set of techniques that may be used by IoT botnets to perform the cyberattacks such as cycling of IP mapping, domain flux, fast flux, and DNS tunneling. In addition, techniques demonstrate low IoT botnets detection efficiency and have high false positives rate. 3

Technique for IoT Cyberattacks Detection Based on DNS Traffic Analysis

DNS is widely used to establish links between IoT botnets’ bots and their command and control centers (C&C) attackers [ 5 ]. It makes it possible to control the IoT botnet anonymously and flexibly. Various complex techniques are used to avoid the C&C servers tracking through DNS: cycling of IP mapping, domain flux, fast flux, and DNS tunneling [ 1, 2, 5 ].

In order to solve this problem, a new technique for IoT cyberattacks detection based on DNS traffic analysis was proposed. It is based on the detection of the IoT botnets’ communication with C&C over DNS protocol, and consists of steps: 1. Gathering of the incoming DNS traffic of the IoT network. 2. Domain names’ "white" and "black" lists checking. 3. DNS traffic features extraction that may indicate the malicious botnets activity in the IoT network. 4. Feature vectors analysis. 5. Localization and blocking of the infected IoT devices.

Let us present the IoT botnets detection process of based on the DNS traffic analysis as a tuple

M BN

=A, C, B, Ψ, Z , L, F , χ T ,ϑ1T ,ϑ2T , ϒT ,ϑ3T ,T , where C = {c j }Nj=C1 - a set of botnet’s elements, N C - the number of botnet’s elements; 3  p NB A = {a j } j=1 - IoT botnet architecture type; B = b   j  j=1 used to manage the IoT botnet, N B - number of network protocols, p ∈ P, P={1.65535} - a set of ports used for the IoT botnet management; Ψ = {ψ } 4 j j=1 - a set of evasion techniques of IoT botnet based on DNS; Z = {z j } Nj=Z1 - a set of IoT devices infected by botnet, N Z - a number of infected IoT devices; L = {l } 5 j j=1 - a set of botnet’s life cycle stages; l1 - infection; l2 - initial registration or connection; l3 - implementation of the malicious activity; l4 - technical support; l5 - termination - a set of network protocols of the botnet; stages l2 - l4 occur with the involvement of DNS; F = {f j }Nj=F1 - the set of bot functions of the IoT botnet, determined by the corresponding botnet’s life cycle stage, N F - the number of bot functions of the botnet IoT; IoT device infection function l1 ⇒ Υ  f1→{hinf hinf ∈ H } , where Y - a set of botnet’s malicious actions, H - a set of infected IoT devices in the network, hinf - an infected IoT device; the connecting function of the infected IoT device to botnet l2 ⇒ Z ∪ {hinf hinf ∈ H }  f2 → Z ′ ; IoT botnet upgrade function to a new version l3 ⇒ z × z′ f3 → z′ ; the set of botnet’s malicious commands l4 ⇒ Z ×{ p p ∈ P}  f4 → Υ , where P - a set of commands that can be executed by bots of the IoT botnet; the deactivation function of the IoT botnet l5 ⇒ Z \ {z z ∈ Z}  f5 → Z ′ ; χT - the set of captured incoming DNS messages addressed to the set of network IoT devices H; ϑ1T - a function of domain names comparison with the "white" and "black" lists; ϑ2T - a function of the feature extraction from incoming DNS traffic, indicating the presence of malicious activity of the IoT botnets; ϒT - a set of IoT botnets’ detecting algorithms based on the DNS traffic analysis; ϑ T 3 - the localization function of infected IoT devices, and blocking the

N bots’ actions; T = {tm}mT=0 - the observation time interval, where NT - the number of iterations of the observation.

Let present the command and control elements of an IoT botnet as C ={cj } Nj=C1 ={D, I , N , E }NC , where D = {d j }Nj=D1 , I = {i j }Nj=I1 - a set of j j=1 domain names and IP addresses of IoT botnet control elements for d; N = {n }NN , j j=1 E = {e j }Nj=E1 - a set of domain names and IP addresses of authority name servers for d ; N D - a number of domain names corresponding to the controlling elements of the IoT botnet; N I - the number of IPs mapped to domain names; N N - the number of domain names of authority name servers; N Е - the number of IP addresses of authority name servers.

Let's present the type of IoT botnet architecture as A = {a j }3j=1 , where a1 - centralized, a2 - distributed, a3 - hybrid.

Let us consider the steps of the method in more detail. 3.1

Gathering the Incoming DNS Traffic of the IoT Network

Let us represent DNS traffic as a tuple χ N = χ , Н , S , D , where χ - the set of DNS messages sent from and to the set IoT network devices H, χ =χ O ∪ χ I , where χO - a set of outcoming DNS messages, χI - a set of incoming DNS messages; S - a set of DNS servers, S =S L ∪ S N , where S L - a set of local DNS servers, S N - a set of non-local DNS servers; D - the set of requested domain names by IoT devices, D = {di}iN=D1 , where N D - number of different domain names.

Let us present a set of IoT devices that have made DNS requests as dND NTTL H =   H j,k , where H j - a subsets of MAC addresses of IoT devices that have j =d1 k =1 sent DNS requests for a specific domain name; H j,k - subsets of MAC addresses of IoT network devices that have sent DNS requests to a specific domain name within a specific TTL period; NTTL - the total number of such subsets; H j,k = {h j,k ,i i=1 }NH , j,k , where h j,k ,i - MAC address of a specific IoT network device; N H , j,k - the number of network IoT devices that have sent DNS requests within a specific TTL period. dND NTTL Let us present the set of captured DNS messages as χ T =   χ j,k , where j=d1 k =1 χ j - subsets of incoming DNS messages for a specific domain name; χ j,k - subsets of incoming DNS messages for a specific domain name captured within a specific TTL period; χ j,k = {χ j,k,i }iN=χ1, j,k , where χ j,k ,i - DNS message captured within a TTL period, Nχ, j,k - the number of DNS messages captured within a TTL period.

Employing the incoming DNS message structure [ 14 ], let us present the captured DNS response for a specific domain name as a tuple χ j,k,i = χ j,k,i,H , χ j,k,i,TS , χ j,k,i,IP , χ j,k,i,HD ,χ j,k,i, ANS ,χ j,k,i, ATH ,χ j,k,i, ADD j =1,..., d dND , k =1,NTTL , i =1,Nχ , j,k , where χ j,k,i,H - MAC address of the IoT device that perform the DNS request; χ - a time stampt of DNS packet; j,k ,i,TS χ j,k,i,IP - DNS packet source IP address; χ j,k,i,HD ,χ j,k,i,ANS ,χ j,k,i,ATH ,χ j,k,i,ADD DNS message sections: Header, Answer, Authority, and Additional respectively.

The DNS message header can be presented as follows: j,k ,i,HD,ID (ID field); χ code; χ

j,k ,i,HD,OPC j,k ,i,HD,QDC , χ

,χ j,k,i,HD j,k,i,HD,ID j,k,i,HD,OPC j,k,i,HD,RC j,k,i,HD,QDC j,k,i,HD, ANC = χ ,χ ,χ ,χ ,χ ,χ j,k,i,HD,NSC j,k,i,HD, ARC , j =1,..., d d ND , k =1,NTTL , i =1,Nχ , j,k , where - an identifier that allows associating a DNS request with DNS response - a request type (OPCODE field); χ j,k ,i,HD,RC - response number of entries in the query section; χ χ χ χ χ j χ χ = (χ   j,k ,i,HD,ANC j,k ,i,HD,NSC j,k ,i,HD,ARC header, nameservers and additional information sections (fields ANCOUNT, NSCOUNT, ARCOUNT), respectively.

The Answer, Authority, and Additional sections have the same format and can be described as a set of the resource records as follows: - the number of resource records in the j,k ,i,S j,k ,i,S ,NM j,k ,i,S ,TP j,k,i,S ,TTL

j,k,i,S ,RDL , χ , χ , χ , χ =1,..., d d ND , k =1,NTTL , i =1,Nχ , j,k , where

S ∈ { " ANS "," ATH "," ADD " } , j,k ,i,S ,NM j,k,i,S ,RDL - NAME field; χ - RDATA field length; χ j,k,i,S ,TP - TYPE field; χ

j,k ,i,S ,TTL j,k,i,S ,RDT - RDATA field value; N RR,S - the number χ of , χ resource

records ,χ j,k,i,HD, ANC j,k,i,HD,NSC j,k,i,HD, ARC in the section for the relevant section).

j,k,i,S ,RDT n n=1

) NRR,S - TTL field; (equal to 3.2

Usage of "white" and "black" Domain Names Lists

In order to detect DNS requests to known domain names of the IoT botnets and to reject legitimate DNS requests, the requested domain names of the IoT devices are compared with "white" and "black" domain names lists. 3.3

IoT malicious traffic extraction

At this stage, the inbound DNS messages are to be analyzed, and the features that may indicate the malicious IoT botnets activity are to be extracted. 4

Let us define a set of IoT botnets evasion techniques as Ψ ={ψ j } j=1 , where ψ1 cycling of IP mapping, ψ 2 – domain flux, ψ 3 - fast flux, ψ 4 - DNS tunneling.

If IoT botnet uses cycling of IP mapping C&C server с ∈ C periodically changes its location, and the domain name d is associated with the C&C server is mapped to the some IP address from the set i ∈ I , d → {i1,..., in} . Botnet’s architecture type is centralized, ψ 1 ⇒ a1 .

Let us define a set of features that indicate the usage cycling of IP mapping technique by IoT botnet as GΨ1 = {tmod ,tmed ,taver , nIP , sIP} , where tmod - tmed taver - TTL-period (mode, median, average respectively ); nIP and sIP - the number of IPs and the average distance between IPs associated with the domain name respectively.

When IoT botnet uses domain flux technique, the C&C server c ∈ C periodically migrates to the new domain names from a list formed using the domain name generation algorithm (DGA). Thus, within specified TTL period a new name d ∈ D may correspond to IP address of the C&C server i ∈ I , {i} → {d1,..., dn} . If the C&C server also changes location, then {i1,..., in} → {d1,..., dm} . Botnet architecture type is centralized, ψ 2 ⇒ a1 .

Let us define a set of features that indicate the use of "domain flux" evasion technique as GΨ2 = {tmod ,tmed ,taver , fs , nD} , where fs - binary sign of success of DNS request; nD - the number of domain names with shared IP addresses.

Within the time interval defined by the TTL DNS period, a single-flux network domain name d, which is used to connect with the infected IoT devices to control elements {c1,..., cn} , is mapped to a new set of IPs. These IPs are changing cyclically d → {i1,..., in} . Also, the IP addresses are geographically distributed by the infected botnet’s nodes that redirect traffic to the control elements {с1,..., сn} :={x|x ∈ Z ∧ x ∈ С} . For the double-flux network the domain name of each authority name server n is matched to a subset of cyclically changing IPs d → {i1,..., in} , n → {e1,..., em} . These IPs are also the IP addresses of the geographically distributed infected botnet’s nodes, i.e. {n1,..., nm} :={x|x ∈ Z ∧ x ∈ N} . As the number of name servers for such botnets is usually more than one, then {n1,..., nm} → {e1,..., en} . Botnet’s architecture type is distributed,ψ 3 ⇒ a2 .

Let us define the set of features that indicate the usage fast-flux technique changing as GΨ3 = {tmod ,tmed ,taver , nA , sA , nUA , sUA} , where nA - the number of Arecords corresponding to the domain name in the incoming DNS message; sA , nUA and sUA - the average distance between IPs, the number of unique IPs and the average distance between unique IPs in multiple A-records corresponding to a domain name in incoming DNS messages respectively.

Attacker uses the DNS tunneling to transmit C&C traffic to a fake DNS server. It enables the possibility of the IoT infected devices to send the encrypted messages to the attacker’s server and receive the commands from him. In this case, the set of domain names D actually is an analogue of the domain names of the C&C server of the IoT botnet. IP address e of the fake DNS server usually stays stable, that is {d1,..., dn} → e . Type of botnet architecture - centralized or hybrid,ψ 4 ⇒ a1 ∨ a3 .

Let us define a set of features of DNS tunneling as GΨ4 = {lN , nU , eN , eR, fUR ,lP} , where lN - a length of the domain name; nU - a number of unique characters in the domain name; eN - a domain name entropy; eR - a maximum entropy value of DNS resource records contained in DNS messages; fUR - a sign of a rare DNS records usage; lP - an average size of DNS messages for a domain name.

Let us define a set of features that can obtained by the usage of the active DNS probing as GΨ = {nNS , sNS , vretry , nASN , nASA} , where nNS - the number of NS records in the DNS response; sNS - the average distance between IPs for multiple NS records for a domain name; vretry - the value of the retry field obtained in the DNS response of the SOA request; nASN - the number of different ASNs for name servers’ IPs; nASA - the number of different ASNs for domain name.

From these features extracted from the incoming DNS traffic, feature vectors are generated for each domain name requested by the network IoT devices: Wd = {tmod , tmed , taver , nIP , sIP , nA , sA , nUA , sUA , lN , nU , eN , eR, fUR , lP , fs , nD } . (1) 3.4

The Feature Vectors Analysis

The feature vectors obtained after the feature gathering and extraction are to be assigned to specified classes. The results of classification are the memberships of the feature vectors to IoT botnet malicious classes or benign class of uninfected IoT devices. The task of classification can be described as a function fclassifier : Wd → ς , where fclassifier - a classification function, ς - IoT botnet malicious class or benign class of uninfected IoT devices. 3.5

Localization and Block of the Infected IoT Devices

Localization and blocking of IoT devices infected with botnets is performed based on the log files analysis that contain lists of domain names requested by IoT devices of the network and MAC addresses of these devices. 4

Experiments

In order to determine the efficiency of the proposed technique a number of experiments were carried out. As the classification algorithms a semi-supervised fuzzy cmeans clustering [ 15-17 ], Support Vector Machine (SVM) [ 18 ], Artificial Immune System (AIS) [ 19 ] classification algorithms were used. For the purpose of training the classifiers 16804 samples of the labeled DNS data of the real modern normal traffic and synthetic contemporary IoT botnet attack traffic of two data set were used: BoTIoT dataset [ 20, 21 ] and the UNSW-NB15 dataset [ 22 ].

In order to compare the effectiveness of the classification algorithms the test samples of IoT malware infections and IoT benign traffic from IoT-23 dataset [ 23 ] were employed. The test data contains 32 415 samples of IoT DNS traffic. 15611 DNS samples of them were the samples of DNS traffic flows of different version’s IoT botnets, in particular such as Mirai, Torii, IoT Trojan, Kenjiro, Okiru, Haji me and other [ 24, 25, 26, 27 ]. Also test data contains 16804 samples of uninfected IoT devices.

Test result of experiments are presented in the Table 1.

Number of Semi-supervised fuzzy c- Support Vector MamaDliNciSous means clustering chine samples

Artificial Immune System Botnet`s name Mirai Linux Mirai Torii IoT Trojan Kenjiro Okiru

IRC Bot Linux Hajime Muhstik

Hide&Seek Total 2308 1795

1386 1762 1822 1080 1521 1162 1284 1491

TP 2195 1709 1318 1674 1694 961 1427 1106 1217 1405

FP 94 74 32 64 35 46 49 47 34 52

TP 2236 1741 1331 1711 1771 1051 1478 1118 1258 1449

FP 52 49 24 29 3 8 32 17 16 26

TP 2213 1691 1321 1676 1729 1036 1427 1112 1226 1430

FP 81 50 34 32 2 12 24 18 15 54 15611

14706/94,2% 527/3,14% 15144/97% 256/1,5% 14861/95,19% 322/1,9%

The experimental results show that usage of the SVM demonstrated better results than the other two methods. The effectiveness of the method involving SVM is in the range of 96,06 to 98,01% with the false positives in the range of 0,015 to 0,31%. Involving of AIS demonstrated effectiveness in the range of 93,8 to 95,9% with the false positives in the range of 0,01 to 0,48%. And the worst results were shown by involving semi-supervised fuzzy c-means clustering - in the range of 89 to 95,2% with false positives in the range of 0,19 to 0,56%.

Conclusion

The new technique for IoT cyberattacks detection based on DNS traffic analysis is presented. The method allows detecting IoT botnet cyberattacks. The method has the heuristic and proactive nature. It is based on the gathering of the set of features that may indicate the IoT cyberattacks presence.

The mechanism of attack detection system is based on the cyberattacks’ features gathering from network and feature vectors construction.

As the classification algorithms a semi-supervised fuzzy c-means clustering, SVM and Artificial Immune System classification algorithms were employed. The proposed method has demonstrated the ability to detect unknown IoT cyberattacks with high efficiency in the range of 96,06 to 98,01% with the false positives in the range of 0,015 to 0,31%.

The further work may be devoted to the development of the techniques that involve machine learning algorithms and new IoT attacks’ features analysis. 6

1. Vignau , B. , Khoury , R. , & Hallé , S. 10 Years of IoT Malware: a Feature-Based Taxonomy . In 2019 IEEE 19th International Conference on Software Quality , Reliability and Security Companion (QRS-C) , pp. 458 - 465 , IEEE ( 2019 ).

2. Murphy , M. The Internet of Things and the threat it poses to DNS . Network Security, 2017 .7, pp. 17 - 19 ( 2017 ).

3. Angrishi , K. Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets . arXiv preprint arXiv:1702.03681 ( 2017 ).

4. Alieyan , K. , Almomani , A. , Abdullah , R. , Almutairi , B. , & Alauthman , M. Botnet and Internet of Things (IoTs): A Definition, Taxonomy, Challenges, and Future Directions . In Security, Privacy, and Forensics Issues in Big Data , IGI Global , pp. 304 - 316 ( 2020 ).

5. Li , W. , Jin , J. , & Lee , J. H. Analysis of Botnet Domain Names for IoT Cybersecurity . IEEE Access , 7 , 94658 - 94665 ( 2019 ).

6. McDermott , C. D. , Majdani , F. , Petrovski , A. V. Botnet detection in the internet of things using deep learning approaches . In 2018 international joint conference on neural networks (IJCNN) , IEEE, pp. 1 - 8 ( 2018 ).

7. De Donno , M. , Dragoni , N. , Giaretta , A. , Spognardi , A. DDoS-capable IoT malwares: Comparative analysis and Mirai investigation . Security and Communication Networks ( 2018 ).

8. Doshi , R. , Apthorpe , N. , Feamster , N. Machine learning ddos detection for consumer internet of things devices . In 2018 IEEE Security and Privacy Workshops (SPW) , IEEE, pp. 29 - 35 ( 2018 ).

9. Moustafa , N. , Turnbull , B. , Choo , K. K. R. An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things . IEEE Internet of Things Journal , 6 ( 3 ), 4815 - 4830 ( 2018 ).

10. Al-Duwairi , B. , Al-Kahla , W. , AlRefai, M. A. , Abdelqader , Y. , Rawash , A. , & Fahmawi , R. SIEM-based detection and mitigation of IoT-botnet DDoS attacks . International Journal of Electrical & Computer Engineering (2088-8708) , 10 ( 2020 ).

11. Al Shorman, A. , Faris , H. , Aljarah , I. Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection . Journal of Ambient Intelligence and Humanized Computing , pp. 1 - 17 ( 2019 ).

12. Alrashdi , I. , Alqazzaz , A. , Aloufi , E. , Alharthi , R. , Zohdy , M. , Ming , H. AD-IoT: anomaly detection of IoT cyberattacks in smart city using machine learning . In 2019 IEEE 9th Annual Computing and Communication Workshop and Conference , pp. 0305 - 0310 ( 2019 ).

13. Cvitić , I. , Peraković , D. , Periša , M. , Botica , M. Novel approach for detection of IoT generated DDoS traffic . Wireless Networks , pp. 1 - 14 ( 2019 ).

14. Mockapetris P. RFC- 1035 . Domain names - implementation and specification . ISI , 1987 . Available online: http://www.ietf.org/rfc/rfc1035.txt? number=1035 (аccessed on March 20 , 2020 ).

15. Pomorova , O. , Savenko , O. , Lysenko , S. , Kryshchuk , A. , Bobrovnikova , K. A technique for the botnet detection based on DNS-traffic analysis . Communications in Computer and Information Science , Vol. 522 , pp. 127 - 138 ( 2015 ).

16. Lysenko , S. , Bobrovnikova , K. , Savenko , O. A botnet detection approach based on the clonal selection algorithm . The 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies: Proceedings . Vol. 1 , pp. 424 - 428 ( 2018 ).

17. Lysenko , S. , Savenko , O. , Kryshchuk , A. , Klyots , Y. Botnet detection technique for corporate area network . The IEEE 7th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Proceedings , Berlin. Vol. 1 , pp. 315 - 320 ( 2013 ).

18. Lysenko

, Bobrovnikova

, Savenko

, Kryshchuk

. BotGRABBER: SVM-based self-adaptive system for the network resilience against the botnets' cyberattacks . Communications in computer and information science , pp. 127 - 143 ( 2019 ).

19. Lysenko

, Savenko

, Bobrovnikova

, Kryshchuk

. Self-adaptive system for the corporate area network resilience in the presence of botnet cyberattacks . Communications in computer and information science , pp. 385 - 401 ( 2018 ).

20. The BoT-IoT Dataset . Available online: https://www.unsw.adfa.edu.au/unsw-canberracyber/cybersecurity/ADFA-NB15-Datasets/bot_iot. php (аccessed on March 20 , 2020 ).

21. Koroniotis

, Moustafa

, Sitnikova

, Turnbull

. Towards the Development of Realistic Botnet Dataset in the Internet of Things for Network Forensic Analytics: Bot-IoT Dataset” , https://arxiv.org/abs/ 1811 .00701 ( 2018 ).

22. The

UNSW-NB15

Dataset . Available online: https://www.unsw.adfa.edu.au/unswcanberra-cyber/cybersecurity/ADFA-NB15-Datasets / (аccessed on March 20 , 2020 ).

23. Stratosphere Laboratory. Aposemat IoT-23. A labeled dataset with malicious and benign IoT network traffic . Parmisano, A. , Garcia , S. , Erquiaga , M. J. Available online: https://www.stratosphereips.org/datasets-iot23 (аccessed on March 20 , 2020 ).

24. Securelist . New trends in the world of IoT threats . Available online: https://securelist.com /new-trends-in-the-world-of-iot- threats/87991/ (аccessed on March 20 , 2020 ).

25. Cloudflare . What is the Mirai Botnet? Available online: https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet / (аccess.March 20 , 2020 ).

26. Kharchenko

, Kondratenko

, Kacprzyk

. (eds). Concepts of Green IT Engineering: Taxonomy, Principles and Implementation . Green IT Engineering: Concepts, Models, Complex Systems Architectures. Studies in Systems, Decision and Control , Springer, Cham, 2017 , Vol. 74 . pp. 3 - 19

27. Singh , K. , Singh Dhindsa , K. , & Bhushan , B. ( 2018 ). Performance analysis of agent based distributed defense mechanisms against ddos attacks . International Journal of Computing , 17 ( 1 ), 15 - 24 . Retrieved from http://computingonline.net/computing/article/view/945.