ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices

Gilad Rosenthal, Ofir Erets Kdosha, Kobi Cohen, Alon Freund, Avishay Bartik, Aviv Ron

Research output: Contribution to journalArticlepeer-review

6 Scopus citations


Today, cyber attacks are constantly evolving and changing, which makes them harder to detect. In particular, detecting attacks in large-scale networks is very challenging because they require high detection rates under real-time resource constraints. In this paper, we focus on detecting infected Internet of Things (IoT) hosts from domain name system (DNS) traffic data. IoT hosts, such as streaming cameras, printers, air conditioners, are hard to protect, unlike PCs and servers. Enterprises are often unaware of the devices which are connected to the network, their types, makes, and vulnerabilities. Since IoT hosts make use of the DNS protocol, analyzing DNS data can give a broad view of malicious activities, because they abuse the DNS protocol and leave fingerprints as part of their attack vector. In this collaborative research between Ben-Gurion University, and IBM, we establish a novel algorithm to detect infected IoT hosts in large-scale DNS traffic, named Anomaly and Reputation Based Algorithm (ARBA). Its novelty resides in developing a framework that combines host classification and domain reputation in a real-time production environment. ARBA is highly computational efficient and meets real-time requirements in terms of run time and computational complexity. By contrast to existing algorithms, it does not require a massive traffic volume for training, which is of significant interest in detecting infected hosts in real-time. The research was conducted on real live streaming data from IBM internal network traffic, and confirm the algorithm's strong performance in a real-time production environment.

Original languageEnglish
Article number9160931
Pages (from-to)145751-145767
Number of pages17
JournalIEEE Access
StatePublished - 1 Jan 2020


  • Cyber security
  • anomaly detection
  • detection algorithms
  • domain name system (DNS)
  • real-time algorithms

ASJC Scopus subject areas

  • General Computer Science
  • General Materials Science
  • General Engineering


Dive into the research topics of 'ARBA: Anomaly and Reputation Based Approach for Detecting Infected IoT Devices'. Together they form a unique fingerprint.

Cite this