Analysis of Internet Telescope Data for IoT Cyber Threat Intelligence

dc.contributor.advisorBou-Harb, Elias
dc.contributor.authorSafaei Pour, Morteza
dc.contributor.committeeMemberBeebe, Nicole
dc.contributor.committeeMemberRad, Paul
dc.contributor.committeeMemberRios, Anthony
dc.contributor.committeeMemberJadliwala, Murtuza
dc.creator.orcidhttps://orcid.org/0000-0003-1176-6274
dc.date.accessioned2024-02-12T20:02:49Z
dc.date.available2022-02-25
dc.date.available2024-02-12T20:02:49Z
dc.date.issued2021
dc.descriptionThis item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.
dc.description.abstractDue to the immense proliferation of the Internet of Things (IoT) devices across all levels (e.g., homes, businesses and industries), entangled with an abundance of vulnerabilities and Internet-wide scanning, IoT devices have grown into a captivating hive of cyber targets for perpetrators. In late 2016, Mirai botnet infecting vulnerable IoT devices in the wild initiated the largest recorded Distributed Denial of Service (DDoS), in which the IoT ecosystem was boldly introduced as a potentially potent weapon to the arsenal of cyber attackers. Furthermore, along with the public release of Mirai source code, a series of Mirai variants emerged in the wild (e.g., Miori, Hajime, Masuta) inheriting the same core scheme, scanning pace, infection course and network communication style of Mirai initial implementation while amending actor-specific malware elements. Such uncontrolled expansion of malware led to an unprecedented battle among Mirai's variants abusing a massive number of previously infected, as well as non-infected IoT devices. This chaotic phenomenon has left the security of worldwide IoT devices belonging to individuals, industries and Critical Infrastructures (CI) as a deserted victim to IoT botnet malware provoked and controlled by malicious actors and cyber criminal groups. In this dissertation, I formalize the detection systems and activities generated from infected IoT devices from the Internet telescope perspective. Further, propose techniques to fingerprint infected IoT devices in large-scale and cluster them to orchestrated campaigns. Besides, I provide several investigation including longitude analysis to shed light on their evolution. In addition, I develop and implement eX-IoT, a first-of-a-kind operational, real-time CTI feed, operating on streaming Internet-scale network telescope data, for fingerprinting (and notifying about) compromised IoT devices deployed in Internet-wide realms. Finally, I propose a proactive deception technique to operate a large-scale IoT malware attribution by particularly exploiting a flaw in the stateless scanning module of the existing IoT malware in the wild. I primarily turn a large Internet telescope into a large honeypot to capture the interaction of infected IoT devices on the Internet.
dc.description.departmentInformation Systems and Cyber Security
dc.format.extent283 pages
dc.format.mimetypeapplication/pdf
dc.identifier.urihttps://hdl.handle.net/20.500.12588/5394
dc.languageen
dc.subjectdarknet
dc.subjectInternet measurements
dc.subjectInternet telescope
dc.subjectInternet-of-Things
dc.subjectIoT maliciousness
dc.subjectIoT security
dc.subject.classificationComputer science
dc.subject.classificationInformation technology
dc.subject.classificationInformation science
dc.titleAnalysis of Internet Telescope Data for IoT Cyber Threat Intelligence
dc.typeThesis
dc.type.dcmiText
dcterms.accessRightspq_closed
thesis.degree.departmentInformation Systems and Cyber Security
thesis.degree.grantorUniversity of Texas at San Antonio
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy

Files

Original bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
SafaeiPour_utsa_1283D_13414.pdf
Size:
7.21 MB
Format:
Adobe Portable Document Format