IoT Botnet Detection on Flow Data using Autoencoders

The rapid growth of the Internet of Things and the proliferation of easily compromisable IoT devices has led to a drastic increase in the occurrence of IoT-based botnet attacks. Hackers are keen on exploiting the vulnerabilities of smart devices, which are seen as easy targets often lacking robust security mechanisms. Identifying botnet activity is an active research topic and remains a challenging task due to the continuous evolution of botnet families that employ a large number of attack vectors. Traditional rule-based approaches which rely on signature matching, heuristics and behavioral profiling are always lagging one step behind the attacker, leading researchers to the development of machine and deep learning methods for the detection of compromised IoT device behaviour. In this paper, we model botnet traffic identification as an anomaly detection task, aiming at establishing a baseline of benign traffic, in order to detect unusual behavior using Netflow data. We propose a feature engineering and deep learning-based detection framework based on two Autoencoder architectures: (i) a vanilla implementation of a deep Autoencoder and (ii) GANomaly which has never been used in the context of network traffic analysis before.We validate the performance of the proposed methodology on the CICIDS2017 dataset which has been widely used for cybersecurity benchmarks and show that it is possible to induce highly accurate unsupervised learning models to detect previously unseen botnet behaviour.