Abstract
The emergence of the Internet of Things (IoT), has heralded a new attack surface, where
attackers exploit the security weaknesses inherent in smart things. Comprised of heterogeneous
technologies and protocols, the IoT is a source of high-speed and volume data, rendering
pre-existing forensic solutions ineffective. As a result, developing new network forensic
solutions for the IoT is imperative. Some of the challenges involved in designing network
forensic solutions for the IoT are 1) obtaining realistic data that represent contemporary
network behaviour, 2) selecting and optimizing a machine learning model, best suited to deal
with such data and 3) identifying and tracing attacks. This thesis provides considerable
contribution to the research focusing on building a network forensic framework tasked with
investigating botnet activities in IoT networks.
The first contribution is the design of a new virtual testbed and the generation of a new
network dataset, called Bot-IoT. This new dataset incorporates normal IoT traffic and
represents a range of realistic network attacks. The second contribution is the selection of
optimal features for the dataset. The process combined two measures, namely Pearson
Correlation and Joint Entropy to create a score for the features, allowing for the selection of
the 10 least-similar, which helped in removing any redundant information from the dataset.
The third contribution is the analysis performed on the Bot-IoT dataset. For this analysis, two
other widely used dataset, the UNSW-NB15 and NSL-KDD datasets were selected and seven
machine learning models were trained. The fourth contribution is the development of the
Particle Deep Framework (PDF) which covers the stages of the digital forensic investigation
process. The PDF utilizes Particle Swarm Optimization for the selection of the optimal
hyperparameters of a deep learning model, which lies at its core and is trained to detect attack
network flows.