Detection of Mozi IoT Botnet Using Autoencoder-Based Feature Learning and Hashing

Nitesh Kumar Saxena; Bhupender Singh Rawat

doi:10.70454/JRICST.2026.30106

Authors

Nitesh Kumar Saxena Assistant Professor, Faculty of Management, Invertis University, India Author
Dr. Bhupender Singh Rawat Associate Professor, College of Smart Computing, COER University, Roorkee, India Author

DOI:

https://doi.org/10.70454/JRICST.2026.30106

Keywords:

Autoencoder, Botnet, IoT, Hash function, Mozi

Abstract

The detection method described in this paper uses autoencoder-based feature learning to identify abnormal traffic patterns indicative of a Mozi infection and employs hashing techniques to track and enumerate the P2P botnet nodes. The Internet of Things (IoT) has emerged as a game-changer in today’s world, influencing numerous industries and lifelines. Detection of IoT botnets has multiple implications for the security and availability of IoT ecosystems. Mozi is a P2P IoT botnet with characteristics such as fast spreading, persistence, and misuse of weak device configurations. Traditional signature and rule-based detection schemes are often unable to detect such dynamic threats, due to their poor generalization capabilities. In this paper, we present an efficient Mozi botnet detection scheme that leverages auto encoder-based feature learning and a hashing technique to achieve fast, scalable detection. Therefore, this paper proposes a method to detect botnets using an autoencoder and a hash function for large-scale data retrieval. The algorithm uses the autoencoder to learn what is normal, then it hashes what it learned to succinctly summarize the learned information, and it compares hash codes in real time to detect anomalies, including IoT botnet-related anomalies. The proposed method achieves high detection accuracy, and is robust to the evolving attack strategies of Mozi botnet, better than traditional methods with the low computation and storage overhead, which can be well applied in IoT infrastructure.

Downloads

Download data is not yet available.

References

[1] M. Wazzan, D. Algazzawi, O. Bamasaq, A. Albeshri, and L. Cheng, “Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research,” Applied Sciences, vol. 11, no. 12, p. 5713, 2021, doi: 10.3390/app11125713.

[2] S. Maurya, S. Kumar, U. Garg, and M. Kumar, “An Efficient Framework for Detection and Classification of IoT Botnet Traffic,” ECS Sensors Plus, vol. 1, 2022, doi: 10.1149/2754-2726/ac7abc.

[3] S. I. Popoola, B. Adebisi, R. Ande, M. Hammoudeh, K. Anoh, and A. A. Atayero, “SMOTE-DRNN: A Deep Learning Algorithm for Botnet Detection in the Internet-of-Things Networks,” Sensors, vol. 21, no. 9, p. 2985, 2021, doi: 10.3390/s21092985.

[4] B. Zhang and J. Qian, “Autoencoder-based Unsupervised Clustering and Hashing,” Applied Intelligence, vol. 51, pp. 493–505, 2021, doi: 10.1007/s10489-020-01797-y.

[5] Netlab 360, “Mozi: Another Botnet Using DHT,” Blog Post, Sept. 23, 2021. [Online]. Available: https://blog.netlab.360.com/mozi-another-botnet-using-dht/

[6] Black Lotus Labs, “New Mozi Malware Family Quietly Amasses IoT Bots,” Lumen Blog, Apr. 13, 2020. [Online]. Available: https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bot/

[7] A. Pease, S. Goodwin, D. Ditch, and D. Stepanic, “Collecting and Operationalizing Threat Data from the Mozi Botnet,” Elastic Security Labs, June 2, 2022. [Online]. Available: https://www.elastic.co/security-labs/collecting-and-operationalizing-threat-data-from-the-mozi-botnet/

[8] P. Paganini, “Mozi Botnet Still Alive,” Security Affairs, Nov. 1, 2023. [Online]. Available: https://securityaffairs.com/121730/malware/mozi-botnet-still-alive.html

[9] K. Malik, F. Rehman, T. Maqsood, S. Mustafa, O. Khalid, and A. Akhunzada, “Lightweight Internet of Things Botnet Detection Using One-Class Classification,” Sensors, vol. 22, no. 10, p. 3646, 2022, doi: 10.3390/s22103646.

[10] Z. Shao, S. Yuan, and Y. Wang, “Adaptive Online Learning for IoT Botnet Detection,” Information Sciences, vol. 574, pp. 84–95, 2021, doi: 10.1016/j.ins.2021.06.009.

[11] J. Morparia, “Peer-to-Peer Botnets: Analysis and Detection,” Master’s Projects, San Jose State University, 2008, doi: 10.31979/etd.xk6g-hh6t

[12] M. A. Carreira-Perpiñán and R. Raziperchikolaei, “Hashing with Binary Autoencoders,” in Proc. IEEE Conf. Computer Vision and Pattern Recognition (CVPR), 2015, pp. 557–566.

[13] X. Xu, J. Li, Y. Yang, and F. Shen, “Toward Effective Intrusion Detection Using Log-Cosh Conditional VariationalAutoencoder,” IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6187–6196, 2021, doi: 10.1109/JIOT.2020.3046941.

[14] Statista Research Department, “Internet of Things – Number of Connected Devices Worldwide 2015–2025,” Statista, 2022. [Online]. Available: https://statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

[15] N. Koroniotis, N. Moustafa, E. Sitnikova, and J. Slay, “Towards Developing Network Forensic Mechanism for Botnet Activities in the IoT Based on Machine Learning Techniques,” in Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 30, Springer, Cham, 2018.

[16] Sebastian Garcia, Agustin Parmisano, & Maria Jose Erquiaga. (2020). IoT-23: A labeled dataset with malicious and benign IoT network traffic (Version 1.0.0) [Data set]. Zenodo. http://doi.org/10.5281/zenodo.4743746”