Detail výsledku
BOTA: Explainable IoT Malware Detection in Large Networks
Hynek Karel
Čejka Tomáš, doc. Ing., Ph.D.
Kolář Dušan, doc. Dr. Ing., UIFS (FIT)
Explainability and alert reasoning are essential but often neglected
properties of intrusion detection systems. The lack of explainability
reduces security personnel's trust, limiting the overall impact of
alerts. This article proposes the botnet analysis (BOTA) system, which
uses the concepts of weak indicators and heterogeneous meta-classifiers
to maintain accuracy compared with state-of-the-art systems while also
providing explainable results that are easy to understand. To evaluate
the proposed system, we have implemented a demonstration of intrusion
weak-indication detectors, each working on a different principle to
ensure robustness. We tested the architecture with various real-world
and lab-created data sets, and it correctly identified 94.3% of infected
Internet of Things (IoT) devices without false positives. Furthermore,
the implementation is designed to work on top of extended bidirectional
flow data, making it deployable on large 100-Gb/s large-scale networks
at the level of Internet Service Providers. Thus, a single instance of
BOTA can protect millions of devices connected to end-users' local
networks and significantly reduce the threat arising from powerful IoT
botnets.
detection, explainability, Internet of Things (IoT), malware, network monitoring, network security, weak indicators
@article{BUT185208,
author="Daniel {Poliakov} and Karel {Hynek} and Tomáš {Čejka} and Dušan {Kolář}",
title="BOTA: Explainable IoT Malware Detection in Large Networks",
journal="IEEE Internet of Things Journal",
year="2023",
volume="10",
number="10",
pages="8416--8431",
doi="10.1109/JIOT.2022.3228816",
issn="2327-4662",
url="https://ieeexplore.ieee.org/document/9983820"
}