The University of Windsor is preparing for a safe return to campus. Learn More.

Colloquium Presentation by Mr. Morteza Safaei Pour:"Data-drive Curation, Learning and Analysis for Inferring Evolving IoT Botnets in the Wild"

Friday, October 30, 2020 - 11:00 to 12:30

The School of Computer Science at the University of Windsor is pleased to present…

Image of Mr. Morteza Safaei Pour
Presenter: Morteza Safaei Pour
PhD candidate in Information Systems and Cyber Security
Member of the Cyber Center for Security and Analytics
University of Texas, San Antonio Texas
Date: Friday October 30, 2020
Time: 11:00am-12:30pm
Passcode: If you are interested in attending this colloquium presentation, send an email request to the Graduate Secretary at


The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructures. The highly heterogeneous nature of IoT devices and their widespread deployments has led to the rise of several key security and measurement-based challenges, significantly crippling the process of collecting, analyzing and correlating IoT-centric data. To this end, we explore macroscopic, passive empirical data to shed light on this evolving threat phenomena. The proposed work aims to classify and infer Internet-scale compromised IoT devices by solely observing one-way network traffic, while also uncovering, reporting and thoroughly analyzing “in the wild” IoT botnets. To prepare a relevant dataset, a novel probabilistic model is developed to cleanse unrelated traffic by removing noise samples (i.e., mis-configured network traffic). Subsequently, several shallow and deep learning models are evaluated in an effort to train an effective multi-window convolutional neural network. By leveraging active and passing measurements when generating the training dataset, the neural network aims to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is employed by scrutinizing a set of innovative and efficient network feature sets. Analyzing 3.6 TB of recently captured darknet traffic revealed a momentous 440,000 compromised IoT devices and generated evidence-based artifacts related to 350 IoT botnets. Moreover, by conducting thorough analysis of such inferred campaigns, we reveal their scanning behaviors, packet inter-arrival times, employed rates and geo-distributions. Although several campaigns exhibit significant differences in these aspects, some are more distinguishable; by being limited to specific geo-locations or by executing scans on random ports besides their core targets. While many of the inferred botnets belong to previously documented campaigns such as Hide and Seek, Hajime and Fbot , newly discovered events portray the evolving nature of such IoT threat phenomena by demonstrating growing cryptojacking capabilities or by targeting industrial control services.


Morteza Safaei Pour is currently a Ph.D. candidate and a member of the Cyber Center for Security and Analytics at University of Texas at San Antonio. He received his B.Sc. and M.Sc. in electrical engineering (secure communication) from Sharif University of Technology, Tehran, Iran, in 2013 and 2016, respectively. His research interests fall under the general umbrella of Internet measurement for cybersecurity with more focus on Internet-of-things (IoT). He has executed several projects in various topics including stochastic modeling of malicious actors from a darknet perspective, application of machine learning in Internet-wide inference of malicious IoT devices, inferring the orchestration behavior of seemingly independent IoT activities, assessing Internet-wide cyber situational awareness of critical sectors. He was a recipient of several scholarships and awards including ARES 2019 best paper award.
5113 Lambton Tower 401 Sunset Ave. Windsor ON, N9B 3P4 (519) 253-3000 Ext. 3716