Designing an effective network forensic framework for the investigation of botnets in the Internet of Things

Download files
Access & Terms of Use
open access
Copyright: Koroniotis, Nickolaos
The emergence of the Internet of Things (IoT), has heralded a new attack surface, where attackers exploit the security weaknesses inherent in smart things. Comprised of heterogeneous technologies and protocols, the IoT is a source of high-speed and volume data, rendering pre-existing forensic solutions ineffective. As a result, developing new network forensic solutions for the IoT is imperative. Some of the challenges involved in designing network forensic solutions for the IoT are 1) obtaining realistic data that represent contemporary network behaviour, 2) selecting and optimizing a machine learning model, best suited to deal with such data and 3) identifying and tracing attacks. This thesis provides considerable contribution to the research focusing on building a network forensic framework tasked with investigating botnet activities in IoT networks. The first contribution is the design of a new virtual testbed and the generation of a new network dataset, called Bot-IoT. This new dataset incorporates normal IoT traffic and represents a range of realistic network attacks. The second contribution is the selection of optimal features for the dataset. The process combined two measures, namely Pearson Correlation and Joint Entropy to create a score for the features, allowing for the selection of the 10 least-similar, which helped in removing any redundant information from the dataset. The third contribution is the analysis performed on the Bot-IoT dataset. For this analysis, two other widely used dataset, the UNSW-NB15 and NSL-KDD datasets were selected and seven machine learning models were trained. The fourth contribution is the development of the Particle Deep Framework (PDF) which covers the stages of the digital forensic investigation process. The PDF utilizes Particle Swarm Optimization for the selection of the optimal hyperparameters of a deep learning model, which lies at its core and is trained to detect attack network flows.
Persistent link to this record
Link to Publisher Version
Link to Open Access Version
Additional Link
Koroniotis, Nickolaos
Sitnikovas, Elena
Nour, Moustafa
Conference Proceedings Editor(s)
Other Contributor(s)
Corporate/Industry Contributor(s)
Publication Year
Resource Type
Degree Type
PhD Doctorate
UNSW Faculty
download public version.pdf 2.15 MB Adobe Portable Document Format
Related dataset(s)