Connection Type Identification and Uplink Speed Estimation of Malware Infected Hosts

Abstract

IoT malware Mirai and its variants continue to evolve and their activities consume network resources, particularly radio resources. This paper proposes a method to identify connection types and estimate the wireless uplink speed of malware-infected hosts observed by IoT honeypot by using the Connection Type Database of Maxmind's GeoIP2, a well-known industrial resource for IP address related information, and Network Diagnosis Tool (NDT) database, a measurement data set of the uplink speed of various networks. The proposed Mobile Network Identification method divides IP addresses into IP ranges assigned to each Autonomous System (AS), and then employs the NDT database based on the IP ranges. We analyzed the infected hosts observed by IoT honeypot to assess and validate the precision of the proposed technique. Our method estimates the maximum average uplink speed of the infected cellular host to be 40.6Mbps, which is between two reference measurement results of cellar networks, indicating the adequacy of the proposed method.