IoT-BDA Botnet Analysis Dataset

Citation Author(s):
Tolijan
Trajanovski
Ning
Zhang
Submitted by:
Tolijan Trajanovski
Last updated:
Tue, 05/25/2021 - 14:45
DOI:
10.21227/sf59-sz80
Data Format:
License:
0
0 ratings - Please login to submit your rating.

Abstract 

 

The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. To facilitate the improvement and the development of host and network-based IoT botnet detection solutions, and Linux malware analysis tools and methods, we provide the IoT-BDA Botnet Analysis Dataset. The dataset comprises the results of the analysis conducted by IoT-BDA Framework on 4077 unique IoT botnet samples captured by honeypots. The framework executed the samples in a sandbox and performed static, behavioural and network analysis to identify indicators of compromise and attack, anti-static-analysis, anti-dynamic-analysis, anti-forensics and persistence techniques used by IoT botnets.  Each of the analysed samples was scanned using Virustotal and was attributed the most probable malware family it belongs to using the AVClass malware classifier. The dataset may also enable clustering of IoT botnet samples based on static, behavioural and network features derived by the framework. In addition to the analysis results, the dataset includes the botnet samples (ELF files), the captured behaviour (systemcalls) and the recorded network traffic (.pcap).

 

 

Instructions: 

 

The .zip archive contains a folder ‘tasks’, and a .csv file, “analysis_results.csv” which is a table with 4077 entries. The .csv table is delimeted by comma. Each subfolder of the ‘tasks’ folder represents an analysis task of a unique sample. The association between tasks and samples is shown in the analysis_results.csv table, which contains the analysis results per sample. Each row in the table represents a botnet sample and holds information such as analysis task id, file hash, URL of the server where the sample was captured from, as well as the analysis results for that sample.  For each task id, the corresponding folder contains: 1) the results of the analysis (analysis_result.json); 2) the captured traffic (capture.pcap); 3) the recorded system calls (syscalls.json) and 4) the botnet sample file (ELF binary) with the original filename. Depending on the IoT botnet sample analysed, the network traffic may include port scanning, exploitation, C2 communications and DDoS traffic.