Traffic Based Sequential Learning During Botnet Attacks to Identify Compromised IoT Devices

A novel online Compromised Device Identification System (CDIS) is presented to identify IoT devices and/or IP addresses that are compromised by a Botnet attack, within set of sources and destinations transmit packets. The method uses specific metrics selected for this purpose which easily extracted from network traffic, trains itself during normal operation with an Auto-Associative Dense Random Neural Network (AADRNN) using traffic measured as arrives. As it operates, the AADRNN trained auto-associative learning only estimates being benign, without prior collection different attack data. experimental evaluation on publicly available Mirai data shows CDIS achieves high performance Balanced Accuracy 97%, despite its low on-line training execution time. Experimental comparisons show sequential (online) learning, provides best among six state-of-the-art machine models. Thus can provide crucial effective information prevent spread attacks in networks having multiple addresses.