A threat modeling framework for IoT-Based botnet attacks

Abstract

Internet of Things (IoT) devices are much closer to users than personal computers used in traditional computing environments. Due to prevalence of IoT devices, even if they are compromised and used in attacks, it is difficult to detect and respond to them. Currently, there has been extensive research on threat modeling for cyberattacks. However, there remains a significant gap in research concerning threat modeling for attacks specially targeting IoT devices within the fifth-generation communication environment. In this paper, we present IoT Targeting-Threat Modeling(I3TM) framework established by analyzing botnets that are appeared before 2021 such as Mirai, Pink etc. Through this framework, we identify tactics and techniques to respond to the attacks. Using the identified tactics and techniques from our proposed framework, we can promptly respond to the newly detected attacks. We constructed a Threat Modeling Framework Keyword-Based Metrics to show extracted keywords from reports, academic papers, and white paper that identifies the features of botnet. We also provide an objective way to apply those keywords to the framework. Our framework is organized to analyze the attack process of botnets that may occur against IoT. The framework derives execution for each tactic for objective analysis based on keywords. In the validation for the framework, I3TM identified eight Tactics from Medusa botnet. If the application of the I3TM framework is continuously accumulated, a baseline of similar attack methods and data will be formed. In future research, we are planning to append mitigations for the attacks targeting IoT to the I3TM framework.

1. Introduction

Distributed denial of service (DDoS) attacks can target devices and infrastructure connected to the Internet of Things (IoT). For example, in the absence of adequate security measures such as intrusion prevention systems (IPS), power-saving mechanisms (PSM) [1] commonly used in low-power devices can lead to service disruptions. In addition, as the fifth generation (5G) massive network [2] is built, attacks exploiting radio frequencies and vulnerabilities in location-based services and sensors may occur. Botnet attacks and malware targeting IoT have steadily increased every year since the Hydra attack [3] in 2008. In addition, in 2016, Mirai [4] caused large-scale damage to DNS service provider Dyn. After Mirai's source code was released, similar attacks became increasingly active. Various variants of the Mirai botnets, such as Hajime, Mozi, IoT Reaper, and Satori, were observed [[5], [6], [7], [8]]. Recently, attacks targeting IoT, such as Medusa and V3G4, appeared.

To respond to such attacks, research on cybersecurity frameworks to detect and defend against botnet attacks has begun to appear. Since IoT can be controlled through a smartphone, mobile can also be an access point. Studies on cybersecurity frameworks for IoT environments include a study using machine learning-based IoT targeting botnet-related data sets [9], CyTEA for creating simulated cyber threats in cybersecurity training systems [10], and a study for mobile network topology. It may include Bhadra [11], a modeling framework, and the CONCORDIA Mobile Threat Modeling Framework (CMTMF) [12], which develops attack and defense taxonomies for threats. Some studies on cybersecurity frameworks targeting the IoT environment have been conducted, but there still needs to be dominant research. In particular, among the many attacks against the IoT environment, botnets can cause significantly considerable damage to all device connected to the bot so a study on a security framework specialized for botnets is required rather than integrating botnets with various attacks [13].

Since the IoT environment is much closer to the users than the traditional computing environment based on personal computers, the above cybersecurity framework and relevant technologies should be considered to achieve the 5G hyperconnected society.

In this paper, we investigate the possible threats of botnet attacks against the IoT environment on a case-by-case basis. We propose a threat modeling framework—IoT Targeting-Threat modeling (I3TM)—based on the observed attack related-techniques. This framework aims to rapidly analyze the attack flow when an actual botnet attack occurs. This framework can be used to respond to and prevent similar attacks that may arise in the future by providing mitigation techniques based on this analysis. To design such a framework, we investigated botnets that were observed targeting the IoT environment before 2021 and systematically organized the attack-related tactics and techniques they used. Through our efforts, we mapped the investigated attack techniques to each step of the botnet's attack flow, which is divided into three steps: attack mounting, attack execution, and attack result. Attack mounting refers to the access behavior that initiates an attack and consists of 4 tactics and 19 techniques. Attack execution refers to the malicious behavior executed after the attack accesses the target. This step contains 9 tactics and 33 techniques. Attack result refers to the attack's impact (and any additional impact or damage) and consists of 5 tactics and 23 techniques. In addition, we analyzed reports, academic papers, and white papers to identify keywords related to tactics and techniques for each step of I3TM. Based on the analysis, we defined a keyword table, which is used to analyze botnet attacks. We conducted a case study to examine a well-known botnet to validate our proposed framework. As mentioned earlier, I3TM was designed based on the attack techniques used by botnets before 2021. We employed botnets that occurred after 2022 for the case study to prove that I3TM can be utilized to analyze unseen botnets. In this paper, we construct the attack analysis report that classifies eight types of features that can be occurred in botnet threat information. The eight types of features are classified into device access, malware distribution (access methods), malicious behavior, malware infection method, infected targets, additional attack methods, attack scope, and final damage. Then we extract keywords from the description of an botnet threat information and apply them to our proposed framework. We analyzed the Medusa botnet as an example, using this approach. As a result of the verification, we demonstrated that our approach can successfully detect potential attack keywords and identify the attack direction within our framework. Also, we confirmed that our framework can be applied Medusa's attack behavior very quickly, using keywords we extracted. The contributions of this paper consist of three parts.

• ●We propose a threat modeling framework for 5G massive IoT Network and present keyword based detection method.
• ●We verify our approach by analyzing the Medusa botnet as an example utilizing our proposed Attack Analysis Report and the framework.
• ●We build a botnet-based threat modeling framework targeting 5G massive IoT. We expect high effectiveness in detecting attacks on IoT botnets through this framework and provide the starting point of the botnet-based threat modeling framework research.

The remainder of this paper is organized as follows: In Section 2, we present IoT botnet attack cases and analyze known threat modeling frameworks. Section 3 describes the structure of the I3TM frameworkSection 4 presents a case study on a 2022 botnet attack to validate the effectiveness of the I3TM framework. In Section 5, we discuss the purpose, limitations, and broader implications of this research. Finally, Section 6 concludes the paper and outlines potential directions for future work.

2. Related work and background

In this section, we introduce some botnets observed in the past and studies related to threat modeling. This analysis is used as material to describe the threat modeling framework for the botnet targeting the IoT environment in the 5G massive network presented in Section 3.

2.1. Botnet

Since the inception of the botnet and DDoS attacks, the scale of botnet attacks has grown at the national level. Gafgyt (called Bashlite, Lizkebab, Torlus) is a botnet that infected more than 1 million devices from 2014 to 2016 [[14], [15], [16]]. The source code of Gafgyt has been leaked. Mirai, which broke out in 2016, has a vast DDoS attack in which the Internet was paralyzed for about 2 h in half of the U.S. after Dyn, a hosting service company, was attacked by DDoS. Mirai is a representative botnet attack exploiting vulnerabilities of IoT devices. Mirai's source code was released in October 2016, which allowed new botnet attacks to continue to appear. With the release of Mirai's source code, many variants have been shown, such as Okiru, Echobot, Hajime, and Mozi. In addition, the botnets used various attack techniques. Mirai compromised lots of IoT devices with weak passwords on the Telnet. IoT Reaper exploited vulnerabilities known as indiscriminate substitution attacks. Satori propagated itself through specific ports without scanning. Mozi combined the vulnerabilities of Gafgyt, Mirai, IoT Reaper, and various other botnets to attack IoT devices. Table 1 classifies and organizes attack features based on six botnet features, tactics, techniques, and keywords.

Table 1.

Feature Classification of IoT botnets.

Botnet	Feature	Tactics	Techniques	Keyword
Mirai	Targets IoT devices with weak passwords, DDoS attacks	Reconnaissance, Resource Development, Initial Access, Attack Execution, Impact	Active scanning, Vulnerability scanning, DDoS, Brute forcing credentials	Scan, Random, Scanning IP blocks, Brute-force
Hajime	Update functionality, IP Blacklist	Reconnaissance, Resource Development, Initial Access	Passive scanning, Dictionary attack, IP Blacklist	Dictionary, IP, Blacklist, Passive
IoT Reaper	Known vulnerabilities	Reconnaissance, Resource Development, Initial Access, Privilege Escalation	Vulnerability scanning, Exploit public facing application, Code injection	Vulnerability, Exploit, Code, Injection
Satori	Huawei and Realtek vulnerabilities	Reconnaissance, Resource Development, Initial Access, Privilege Escalation	Vulnerability scanning, Exploit public facing application, Code injection	Vulnerability, Exploit, Code, Injection
Pink	Fiber-optic routers, DDoS, Ads, Hybrid Network	Reconnaissance, Resource Development, Initial Access, Attack Execution, Impact	Active scanning, Vulnerability scanning, DDoS, Advertisement-insertion	Scan, Random, Scanning IP blocks
Mozi	Telnet vulnerabilities, DHT Protocol	Reconnaissance, Resource Development, Initial Access, Attack Execution	Active scanning, Vulnerability scanning, DDoS, Brute forcing credentials	Scan, Random, Scanning IP blocks, Brute-force

2.1.1. Mirai

Mirai was first discovered in 2016 by Malware MustDie, a White-Hat malware research group. Mirai attacked Dyn, a domain name system (DNS) provider, in October 2016. Due to this attack, 76 websites were paralyzed, including Twitter, Netflix, and the New York Times [[17], [18], [19], [20], [21]]. Mirai's source code was revealed. This event contributed to the creation of numerous IoT botnets and malware. Mirai was designed to perform DDoS attacks based on generic routing encapsulation (GRE), internet protocol (IP), greeth, transmission control protocol (TCP) with SYN and ACK flags, simple text-oriented messaging protocol (STOMP), DNS, user datagram protocol (UDP), and hypertext transfer protocol (HTTP) traffic. Mirai performs a more precise capability for executing DDoS attacks compared to Aidra, resulting in greater service disruption. Mirai, as malware derived from Bashlite, verifies the accessibility of port 23 and includes a scanning function to search Telnet services on port 2323. Mirai's workflow is quite simple. It triggers DDoS attacks, performs scanning on initial execution, infects vulnerable devices, and makes them part of the botnet. The target of Mirai was Linux-based IoT devices that operate in various processor architectures such as advanced reduced instruction set computer (RISC) machine (ARM), microprocessor without interlocked pipeline stages (MIPS), and PowerPC (PPC) through cross-compilation. The Mirai botnet's malware consists of four components: "C&C server and loader," "Report server hosting database," "scanner," and "bot." The scan function generates a random IP address and logs into the shell by pre-attacking vulnerable IoT devices that have not changed their preference using about 60 factory-shipped accounts on port 23.

2.1.2. Hajime

Hajime was first reported in 2016, and it attempted to spread malware to all IoT devices, resulting in around 300,000 devices being infected since 2017 [22]. Hajime is similar to Mirai in terms of the target device's types and the way it manages infected devices (bots) [23]. Hajime's malware has an update functionality that allows attackers to update features. Hajime's malware generates an IP address for another IoT device to infect and check whether the addresses are included in a blacklist. The blacklist is a hard-coded list of IP addresses that should be excluded from attack targets, such as national intelligence agencies and security companies. After checking port 23 of the target designated the IP address generated above, the malware attempts to sign into the target device with a list of account information. If the authentication is successful, the malware tries to access a shell and execute various commands, such as cp, cat, cd, and chmod, to check if the malicious payload was downloaded and had a write-permission for the specific path. Hajime creates malicious binary data by converting hexadecimal value into binary value using the Echo command. When the creation of malicious binary data is successfully completed, four actions (time synchronization through Network Time Protocol (NTP), disguising itself as a Telnet daemon program, checking whether the configuration file is updated, and setting the initial value of network communication) are executed. The attack proceeds sequentially; The malware initiates an attack by sequentially attempting a predefined Telnet's default accounts on an IoT device; The infected device downloads the up-to-date configurations and modules from other devices through the peer-to-peer (P2P) communication; The device tries to compromise other IoT devices, which is not yet infected. Hajime has evolved with simple object access protocol (SOAP)/HTTP-based communication vulnerabilities, such as radio waves, using TR-069 vulnerabilities.

2.1.3. IoT reaper

IoT Reaper was first reported in 2018 and is a variant botnet derived from the Mirai botnet. The botnet targeted IoT devices such as cameras, camcorders, and wireless routers and has infected more than 2 million IoT devices [[24], [25], [26]]. The number of infected devices by IoT Reaper continues to increase, but the scale of the damage is not precisely estimated because the bots remain inactive. IoT Reaper is written in the Lua language developed to run scripts and can perform attacks much more agile than Mirai Botnet due to its imperative and procedural language nature. The attack of IoT Reaper utilizes the IoT devices' well-known vulnerabilities regarding HTTP. IoT Reaper's bot scans devices utilized for attack propagation through the known vulnerabilities and feedback to C&C servers. Afterward, malware is delivered through loaders and downloaders based on the information collected by the C&C servers. When the malware is installed on the target device, it becomes part of the botnet and makes a malicious behavior to attack other devices. The C&C servers transmit commands, initiating attacks or spreading malware to other IoT devices through the Internet. Unlike the Mirai botnet, which scans the port of Telnet, it first conducts the TCP half scan for a specific port. The first ports to be scanned include 20480, 20736, 36895, 37151, 22528, 16671, 1434, 20992, 4135, 64288, 45090, 21248, 21504, 31775, 39455, 47115, and 42254. In the second scanning, the ports regarding the web service on the IoT devices are explored: 80, 82, 83, 84, 88, 1080, 3000, 3749, 8001, 8060, 8080, 8081, 8090, 8443, 8880, and 10000. If the bot recognizes the opened ports on the device, it infiltrates it using the onboard vulnerabilities in IoT Reaper. While the Mirai botnet could gain credentials and access the system through the brute-force attack using IoT's default accounts, IoT Reaper can take control of the device through the known vulnerabilities. Also, unlike Mirai Botnet, which maintains consistent connections between clients and C&C servers, IoT Reaper checks into the C&C servers using unencrypted HTTP communication every 10 s. In addition, IoT Reaper has over 100 DNS open resolver servers that act as DNS cache servers that respond to all DNS requests from the clients. Through this, the IoT Reaper could be used for DNS Amplification Attacks.

2.1.4. Satori

Satori, a variant of the Mirai botnet, was reported in 2017. Unlike Mirai, Satori attempts remote access using vulnerabilities in Huawei routers and specific devices using the Realtek software development kit (SDK) instead of the Telnet scanner module. The botnet infected over 280,000 IoT devices, and it was estimated that an additional 220,000 IoT devices could be affected [[27], [28], [29]]. An attacker (or Satori's malware) uploads malware on Huawei's home router using the vulnerability of a universal plug-and-play (UPNP) protocol (port 37215). The vulnerability, allowing the attacker to execute arbitrary commands on the device, was used to download and execute malicious payloads. Also, Satori's malware employs a vulnerability of Realtek's UPNP SOAP interface (port 52869), allowing a command execution. With these vulnerabilities, Satori secures control over the IoT device and executes the commands from C&C servers to perform malicious behaviors. Once the device is infected, Satori's malware tries to self-propagate into other IoT devices like a worm. Satori can attack various architectures: ARM, MIPS, PPC, x86, x86_64, SuperH, SPC, and ARC. Like other botnets, Satori could carry out DDoS attacks (TCP or UDP flooding attacks) following the order from the C&C servers.

Another variant of Satori is Satori Coin Robber, discovered in 2018. Interestingly, this malware targeted Claymore Miner, an Ethereum coin mining program, and stole ether using vulnerabilities from the victim. Satori Coin Robber performed the port scanning on TCP ports 3333, 37215, and 52869, like the original Satori. Especially port 3333 was used to check Claymore Miner. Satori Coin Robber adopted asynchronous network connectivity to improve scanning efficiency. The malware attacks Claymore Miner with vulnerabilities allowing an arbitrary read/write remotely. This malware mainly targeted the Claymore Miner-installed device with port 3333 while the cryptographic authentication was disabled. Except for the propagational feature, Satori Coin Robber has several exploitation features like getting mining status information, replacing file reboots, mining pools, getting addresses of wallets, and rebooting hosts with new wallets. C&C server communication is performed based on DNS protocol and utilizes hard-coded IP addresses.

2.1.5. Pink

Pink was reported as the first IoT botnet with a hybrid topology. Pink adopted a centralized C&C server and a decentralized network architecture like a P2P network. The primary targets of this botnet were routers with optical fiber based on MIPS architecture [30]. Over 1.6 million devices were estimated to be infected by Pink's malware. Pink botnet performed DDoS attacks along with advertisement-insertion attacks within HTTP-based websites. The attacker shut down TCP-17998 service and extranet connection to TCP-17998 via iptables, to block any access to Pink. Additionally, the attacker disabled TR-069 update channel, then performed the attack via the function of TCP-80 HTTP service file removal. Pink exploited a vulnerability—regarding misconfiguration and mis-implementation—of the router's TCP-17998 control service, a management interface for administrators. This vulnerability was used for Pink's initial access. Subsequently, Pink's malware secures control over the public network, which the infected router covers.

There are two methods that Pink distributes the botnet. First method distributes the botnet via third-party services. Pink accesses configuration files in remote repositories like GitHub via DNS-over-HTTPS(DoH) then connects to the servers or controllers designated by the configuration files. The controller is composed of a timestamp, the latest C&C address, the latest updated bot address, a secure DNS server address, a server-side public key content (base 64), and the proxy-related option. The information of configuration file is encrypted with the elliptic curve digital signature algorithm (ECDSA) which is frequently used in cryptocurrency transactions such as Bitcoin and Ethereum. The information of configuration file can be easily converted to the GitHub project address by adding transaction record to configuration file. In addition, the attacker has distributed the botnet via the Chinese website in a similar distributing method via GitHub. The second botnet distribution method is a distribution method via Peer-to-Peer (P2P). Pink bypasses the detection by utilizing UDP-123 port, which is the default port for the Network Time Protocol (NTP) Service. Following this process, a peer probe request is sent to four B-segment addresses, and in the absence of C&C information, an error message is returned. However, if C&C information is received, a response including the message header is returned.

2.1.6. Mozi

Mozi is another variant botnet of Mirai, reported in 2019. Mozi's primary targets are the IoT devices like wired-or-wireless routers, CCTVs, video recording devices, and PCs. It has infected over 1.5 million IoT devices around the world. Mozi exploits vulnerabilities of Telnet on IoT devices to infect them [30,31]. When the malware was installed, the newly infected device acted as a bot and was automatically attached to Mozi's P2P network as a node. Mozi was implemented based on the distributed hash table (DHT) protocol, frequently used to store node contact information on P2P platforms like torrents. Based on this protocol, the botnet network could be quickly set up without a server. Mozi hid a malicious payload within regular-large amounts of DHT traffic, making it difficult to be detected. Also, Mozi improved its integrity and security with ECDSA 384 and x7or algorithms. Once Mozi's malware infiltrated an IoT device, it ran an HTTP service with any local port. This local port could be utilized for various purposes, like receiving addresses for downloading a malicious payload from a configuration file produced by the attacker. The addresses were shared within the botnet for malware propagation.

2.2. Threat modeling framework

Threat modeling framework provides a systematic approach to identifying, understanding, and managing security threats against a system. The framework generally helps to identify security threats while designing or implementing a system or application and plays an essential role in preparing response plans for security threats. This section presents several well-known threat modeling frameworks: MITRE ATT&CK, Bhadra, and CONCORDIA-CMTMF.

2.2.1. MITRE ATT&CK and MITRE FiGHT

MITRE ATT&CK [32,33] is a security framework that classifies and categorizes information on various attack techniques by MITRE Corporation in the United States. Attack behavior based on actual cyberattack cases was classified and analyzed into several tactics and techniques. In other words, it is a security framework that can identify attack behavior based on attack pattern analysis to improve the detection of intelligent attacks. This data can be used to develop multiple threat models and methodologies. In addition, MITRE ATT&CK released "MITRE ATT&CK for Enterprise," targeting IT systems. In this framework, 224 attack techniques are categorized into 14 attack tactics.

MITRE FiGHT [34,35] is another knowledge-based security framework. It was derived from the original MITRE ATT&CK to complement it with attack tactics and techniques regarding the 5G network. Each attack technique is labeled as one of three types: "theoretical," "proof-of-concept (PoC)," and "observed." Most techniques in the framework are marked as "theoretical" or "PoC" based on academic research and other publicly available documents. Only some techniques are based on real-world observations and documented accordingly. This framework could be adopted in various ways, such as threat assessment, hostile emulation, and identifying gaps in security scope.

2.2.2. Bhadra Framework

The Bhadra Framework [11] is a security framework that models threats to mobile communication systems with a systematic methodology. In this framework, a total of 55 publicly known attack behaviors are classified by nine technical categories. This framework further understands the system vulnerabilities of MITRE ATT&CK, develops strict security defenses, and models unobserved attacks to consider the wide range of potential attackers. The modeling method divides the attack life cycle into three stages: attack mounting, attack execution, and attack results. First, attack mounting is a step in finding weaknesses in the target, obtaining initial access to the target, and establishing a continuous existence. Attack execution is a step in extending control from the initial access to the goal by exploiting vulnerabilities in the system. Finally, attack results are associated with information gathering and other attack impacts.

2.2.3. CONCORDIA–CMTMF

"Cybersecurity competence for research and Innovation (CMTMF)" [12] is a threat modeling framework for mobile systems, created to highlight the importance of cyber threat intelligence technology through the CONCORDIA project. CONCORDIA-CMTMF was developed to address the shortcomings of difficulty in applying the existing threat modeling frameworks, such as MITRE ATT&CK or Bhadra framework, to mobile networks. This framework combines MITRE ATT&CK's sub-frameworks like MITRE ATT&CK for enterprise/mobile/ICS. This framework is divided into 105 attack behaviors and 14 tactical categories.

3. I3TM: IoT Targeting-Threat Modeling framework

The 5G massive environment creates a myriad of attack contacts when one IoT device is infected, so we want to quickly detect attacks and block successive attacks, and the purpose of the framework is to quickly detect botnet attacks targeting IoT. Existing threat modeling frameworks were designated into Enterprise rather than IoT environment, making detailed analysis impossible. In this section, we describe the details of the proposed threat modeling framework, I3TM. Fig. 1 shows the framework configuration. Reports of botnet attacks consist of four steps. First, Botnet attack detection means the start of an attack by a botnet. This section is the section where the starting point of the attack is detected through reconnaissance, resource development, inspection section, and initial access. Second, it means the section using the I3TM framework. In order to apply the I3TM framework, it is used based on 18 Tactics and 75 Techniques. Third, it means the section that updates the I3TM framework. Update new extractions of tactics, techniques, and keywords for new botnet attacks. Finally, it is the Reporting for botnet attacks section. In this section, the botnet attack process is analyzed in detail, and botnet threat information is written. Keywords are extracted based on the botnet threat information. The keyword introduced in Appendix is applied to the I3TM framework to write the report. The framework is updated regularly, incorporating new attack techniques and feature data based on applicable cases in the Classification UI by attack type.

Fig. 1.

Suggested framework methodology diagram.

3.1. I3TM framework

The I3TM Framework is composed as shown in Fig. 2 and is divided into three upper classifications for attack flow, 18 Tactics, and 75 Techniques.

Fig. 2.

I3TM framework.

3.1.1. Attack mounting

Attack mounting summarizes the threats that may appear early stage of an attack. Attack mounting is divided into reconnaissance, resource development, infection section, and initial access.

Reconnaissance: A reconnaissance is a section that collects information necessary for an attack. The reconnaissance section is divided into active scanning, passive scanning, gathering user equipment (UE) identity information, gathering UE network information, phishing information, and social media information. Table 2 techniques distinguished and defined for reconnaissance intervals.

Table 2.

Techniques distinguished and defined for reconnaissance intervals.

Reconnaissance	Description
Active scanning	A scanning attack that uses network traffic to gather information directly from the victim.
Passive scanning	A scanning attack in which an attacker sends a standard communication message to the victim and collects the necessary (public) information from the return response message.
Gathering UE identity information	An attack that collects the personal information of the victim.
Gathering UE network information	Attacks that gather information about the target network.
Phishing information	An attack that tries to trick the victim into collecting or leaking information.
Social media information	Attacks collect personal information that is exposed on social media.

Table 2 represents the details and definitions of reconnaissance in attack mounting [[36], [37], [38], [39], [40], [41], [42], [43], [44], [45], [46]]. Active scanning is a scanning attack that directly collects information about the target using network traffic, including vulnerability-based script attacks and command applications. In active scanning, the keywords for the attack include scan, random, scanning IP blocks, and vulnerability scanning, wordlist scanning [[88], [89], [90], [91], [92]]. Passive scanning is a scanning attack in which an attacker sends a standard communication message to the target and collects the necessary and public information from the return response message. In passive scanning, the keywords associated with attack include dictionary attack, shodan, censys(ZMap), masscan [37,93,94]. Gathering UE identity information and gathering UE network information target information, including credentials of personal data such as e-mail addresses and IDs, and network data such as IP address ranges and domain names, can use the information to make other attacks. In gather UE identity information, the keywords associated with attack include identity, credentials, personal and business accounts, e-mail addresses, employee names [[95], [96], [97], [98], [99]]. In gather UE network information, the keywords associated with attack include administrative data, network domain, gather DNS, network trust dependencies, network topologies, IP addresses, network security appliances [88,[100], [101], [102], [103], [104]]. A phishing information attack is an attack in which information is collected or leaked by deceiving the target. It is an attack that uses social engineering techniques to camouflage and collect information from a specific target. In phishing information, the keywords associated with attack include phishing, spearphishing, instant messages, spearphishing messages, spearphishing service [42,[105], [106], [107]]. Social media information attack is an attack that can develop the next attack by collecting personal information exposed on social media. In social media information, the keywords associated with attack include spearphishing attachment, spearphishing link, malicious link, malicious attachment [108,109].

Resource development: Resource development is one of the attack preparation processes, which develops attack functions. Resource development is divided into development capabilities, obtain capabilities, stage capabilities, and compromise accounts.

Table 3 shows detailed items and definitions of resource development in attack mounting [12,47]. Development capabilities allow attackers to develop attack functions independently, identify development requirements, and build solutions such as malware, vulnerabilities, and self-signed certificates. In develop capabilities, the keywords associated with attack include develop capabilities exploits, malware, malware components, payloads, droppers, post-compromise tools, backdoors, packers, code signing certificates, self-signed SSL/TLS certificates, develop exploits [[110], [111], [112], [113]]. The obtain capabilities allow attackers to acquire information such as free or paid malware, software (including licenses), vulnerabilities, and certificates from other locations (e.g., download, purchase, steal) without developing an attack function. In obtain capabilities, the keywords associated with attack include download, purchase, opensource, cracked, steal [111,114,115]. Stage capabilities can upload, install, and set up attack functions, such as deploying attack functions developed or collected by attackers to the infrastructure they are using (e.g., GitHub, Pastbin, PaaS). In stage capabilities, the keywords associated with attack include upload/install/set up capabilities (upload malware/tool), install SSL/TLS certificates, drive-by target (drive-by download), malicious link, influence search engine optimization (SEO), SEO poisoning [[116], [117], [118], [119]]. Compromise accounts are a way to compromise the account of the services used by the victim (e.g., social media, e-mail, cloud). They can be compromised in various ways, including collecting credentials, purchasing credentials, and replacing certificates. In compromise accounts, the keywords associated with attack include compromise accounts, brute forcing credentials, credential dumps, social media accounts, email accounts, cloud accounts [45,[120], [121], [122], [123], [124]].

Table 3.

Distinguish and define Techniques for resource development sections.

Resource development	Description
Develop capabilities	Attackers develop their attack capabilities.
Obtain capabilities	Attackers need to develop attack capabilities and collect them elsewhere.
Stage capabilities	Attackers are using the attack capabilities they have developed or collected.
Compromise accounts	Attacks that compromise service accounts.

Infection section: In the infected section, it is the process of preparing the target of the attack in advance. The infection section is divided into router access, smartphone/app access, and removable media access.

Table 4 shows detailed items and definitions of infection intervals in attack mounting. The infection section is divided into router access, smartphone, application access, and removable media access [[48], [49], [50]]. Router access is an attack that can be accessed by infection through a wireless/wireless network to obtain access to a router, smartphone, and app access is an attack that can be accessed by infection through a smartphone or application. It is possible to connect by controlling IoT devices through applications. In router access, the keywords associated with attack include Wi-Fi, IEEE 802.11, wired LAN, wireless router [[125], [126], [127]]. In smart phone/APP access the keywords associated with attack include market, Android, IOS, System apps, APK [[128], [129], [130]]. Removable media access is an attack that can be accessed as an infection through a port connected to a secure digital (SD) card or universal serial bus (USB). In removable media access, the keywords associated with attack include USB, SD card [50,131].

Table 4.

Techniques distinguished and defined for infection section intervals.

Infection section	Description
Router access	Infection over a wireless/wired network to gain access to the router.
Smartphone/app access	Infection via smartphone or application.
Removable media access	Infection via removable media.

Initial access: In the initial access section, it attempts actions such as direct file execution of the target through malware. Initial approaches are classified into exploiting public-facing applications, installing insecure or malicious, masquerading as legitimate applications, exploiting through removable media, insider attacks/human errors, and firmware overwrite.

Table 5 shows the detailed items and definitions of the initial approach in attack mounting [51,52]. An exploit public-facing application is an attack that uses software, data, and commands to exploit vulnerabilities in computers or programs connected to the internet to cause abnormal behavior. In exploit public facing application, the keywords associated with attack include Internet-facing computer, advantage of a weakness, glitch, design vulnerability, escape to host, web server [[132], [133], [134], [135]]. Install insecure or malicious is an attack that installs unsafe or malicious settings, installed through phishing e-mail or text messages, including direct attachments or web links to settings, and disguised to install settings through social engineering attacks. In install insecure or malicious, the keywords associated with attack include install insecure configuration, install malicious configuration [136,137]. Masquerade as legitimate application is an attack that distributes malware after disguising it as a standard application, inserting malware into an actual standard application, or pretending to be a standard program. When requesting access to the accessibility service through the corresponding process, there is a possibility that access rights may be granted to the disguised application. In masquerade as legitimate application, the keywords associated with attack include masquerading, masquerade, app stores, legitimate application [[138], [139], [140]]. Exploit through removable media is an attack that exploits or copies malware onto a device connected via removable media. By manipulating or tampering with the firmware source code of the removable media with malware, the attack can be executed when the removable media is connected. In exploit through removable media, the keywords associated with attack include charging station, USB connect, intercepting(calls), network traffic, device physical location, radio interface, SMS parser, vulnerable sim cards [[141], [142], [143], [144], [145]]. Insider attacks and human errors are attacks in which attackers use internal personnel to damage network components. Insiders include employees with security awareness, whistleblowers, and former employees vulnerable to social engineering attacks. In insider attacks and human errors, the keywords associated with attack include intentional attacks, unintentional mistakes, insiders, insiders bring, former employees, whistleblowers [11,146,147]. A firmware overwrite is an attack in which an attacker forcibly updates modulated firmware after it is overwritten or replaced with existing firmware. In firmware overwrite, the keywords associated with attack include firmware(update), overwrite, boot, replacement attack [[148], [149], [150]].

Table 5.

Techniques distinguished and defined for initial access intervals.

Initial access	Description
Exploiting public-facing applications	Attackers use vulnerabilities in internet-connected computers or programs to use software, data, and commands to cause abnormal behavior.
Installing insecure or malicious	Installing insecure or maliciously configured settings.
Masquerading as legitimate applications	Disguise malware as a legitimate application and distribute it.
Exploiting through removable media	Attackers can exploit or copy malware onto devices connected via removable media and move it to the device.
Insider attacks/human errors	A method by which an attacker compromises network components through the internal structure of a target.
Firmware overwrite	An attack in which an attacker overwrites or replaces tampered firmware with older firmware and then updates (or forces) it.

3.1.2. Attack execution

Attack execution identifies the process through which an attack is executed. Attack execution is divided into process execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and command and control.

Process execution: It is a process for an attacker to execute malware through a local or remote system. The execution section is divided into scheduled tasks, command-line (CMD) interface, NodeB component manipulation, eNodeB component manipulation, and gNodeB component manipulation.

Table 6 shows the details and definitions for the access execution method of attack execution [51,[53], [54], [55]]. Scheduled tasks are a feature that abuses the ability to schedule tasks to facilitate the initial or repeated execution of malware Utilities exist within all major operating systems that allow programs or scripts to be scheduled to run at a specified date and time and can also schedule tasks on remote systems if proper authentication is met. In scheduled task, the keywords associated with attack include at, cron, launched, scheduled task, system timers, container orchestration job [50,[151], [152], [153], [154]]. The command-line interface is the ability to execute malicious behavior through the command prompt (CMD) interface. In command-line interface, the keywords associated with attack include CMD [234]. Other features include NodeB component manipulation, which attacks third-generation cellular base stations. In NodeB component manipulation, the keywords associated with attack include NodeB 3G [235]. eNodeB component manipulation attacks fourth-generation cellular base stations, and gNodeB component manipulation attacks fifth-generation cellular base stations. In eNodeB component manipulation, the keywords associated with attack include eNodeB, 4G, LTE [236]. In gNodeB component manipulation, the keywords associated with attack include gNodeB, 5G, NR [237].

Table 6.

Techniques distinguished and defined for process execution intervals.

Process execution	Description
Scheduled tasks	Abuses the ability to schedule tasks or jobs to facilitate the initial or repeated execution of malware.
Command-line interface	Malicious actions can be executed via the CMD interface.
NodeB component manipulation	3G mobile communication base station for component corruption attack.
eNodeB component manipulation	4G mobile communication LTE base station eNodB component corruption attack.
gNodeB component manipulation	5G New Radio (NR) Base Station gNodB component corruption attacks on 5G mobile communications.

Persistence: Persistence is the process of maintaining an attack. It can be a malicious file created by the attacker or an attack that continuously performs malicious behavior. Persistence processes include boot or logon autostart execution and foreground persistence.

Table 7 shows the details and definitions for the persistence method of attack execution [[56], [57], [58], [59], [60], [61]]. Boot or logon autostart execution is an attack method configuring system settings to automatically run a program during system boot or logon to maintain persistence or gain high-level privileges on a compromised system. In boot or logon autostart execution, the keywords associated with attack include autostart, autoplay, autorun, logon, boot [140,155,156]. Foreground persistence allows a malicious application to exploit the startforeground() API method to continue running in the foreground while providing notifications to the user that appear to be legitimate applications. In foreground persistence, the keywords associated with attack include startforeground [238].

Table 7.

Techniques distinguished and defined for persistence intervals.

Persistence	Description
Boot or logon autostart execution	Configure system settings to automatically run programs during system boot or logon to maintain persistence or gain a high level of privileges on compromised systems.
Foreground persistence	Continue to run malicious applications in the foreground using the startforeground() application programming interface (API) method to provide users with notifications pretending to be genuine applications.

Privilege escalation: Privilege escalation is when an attacker exploits system vulnerabilities and misconfigurations to gain elevated privileges on a system or network. Privilege escalation is categorized into code injection, stealing protocol information, stealing the key, and stealing a certificate.

Table 8 shows the details and definitions for the privilege escalation method of attack execution [[62], [63], [64]]. Code injection is an attack that inserts or executes arbitrary code into the user interface to evade defenses, elevate privileges, or mimic user interaction. In code injection, the keywords associated with attack include DLL injection, portable executable injection, hijacking, asynchronous procedure call injection, TLS callback, proc memory, extra window memory injection, process hollowing, list planting [132,[157], [158], [159], [160], [161], [162], [163]]. Stealing protocol information is an attack that steals protocol information to cause traffic congestion through command and control. In stealing protocol information, the keywords associated with attack include protocol impersonation, protocol tunneling, application layer protocol, ARP, DNS, FTP, IMAP, POP3, SIP, SMB, SMTP, SNMP, SSH, telnet, VNC [[164], [165], [166], [167], [168], [169]]. Stealing the key is a method of exploiting a vulnerability by stealing cryptographic key information. In stealing the key, the keywords associated with attack include encryption key [170]. Stealing a certificate attacks a vulnerability by stealing certificate information. In stealing a certificate, the keywords associated with attack include digital certification [171].

Table 8.

Techniques distinguished and defined for privilege escalation intervals.

Privilege escalation	Description
Code injection	Inject or execute arbitrary code in the user interface to evade defenses, escalate privileges, and mimic user interactions.
Stealing protocol information	After stealing protocol information, an attacker can cause traffic congestion through command and control.
Stealing the key	A vulnerability attack can be carried out by stealing encryption key information.
Stealing a certificate	Attackers exploit the vulnerability by stealing certificate information.

Defense evasion: Defense evasion is part of the attack that allows the attacker to evade or manipulate the secured part of the attack to perform additional attacks. Defense evasion is categorized into Masquerading, disguising root/jailbreak indicators, evading analysis environment, obfuscating files or information, geofencing, and remote shutdown devices.

Table 9 shows the details and definitions of the defense evasion method of attack execution [65]. Masquerading is an attack that manipulates the functionality of an artifact to attempt to make it appear legitimate or harmless to users or security tools and is manipulated for evasion or to cause abuse. It includes manipulating metadata or tricking a user into misidentifying a file type and giving it a legitimate task or service name. In masquerading, the keywords associated with attack include invalid code signature, right-to-left override, rename system utilities, masquerade task or service, match legitimate name or location, space after filename, double file extension, rename [53,[172], [173], [174], [175], [176], [177]]. Disguise root/jailbreak indicators is an attack that attempts to evade detection by mobile security programs by jailbreaking or rooting a mobile device. Compromised device detection is performed by searching for specific artifacts, but the binary can be renamed to evade detection. In disguise root/jailbreak indicators, the keywords associated with attack include rooting, jailbreak [178,179]. Evade analysis environment is a method of detecting and evading virtualization and analysis environments, such as checking for the presence of an artifact representing a virtual machine environment (VME) or sandbox and then changing its behavior. In evade analysis environment, the keywords associated with attack include system checks, virtualization/sandbox evasion [180,181]. Obfuscated files or information is a method of encrypting, encoding, or obfuscating content on a system or in transit to make navigating or analyzing files challenging. Geofencing is an attack where an attacker uses geolocation to restrict specific malicious behavior. In obfuscated files or information, the keywords associated with attack include binary padding, software packing, steganography, compile after delivery, indicator removal from tools, html smuggling, dynamic API resolution, stripped payloads, embedded payloads [[182], [183], [184], [185], [186], [187], [188], [189], [190]]. Attackers can use the API to automatically trigger specific actions when a device enters or leaves a specified radius around a geographic location. In geofencing, the keywords associated with attack include GPS, LBS, geographic [191,192]. A remote shutdown device is an attack where the attacker aims to disrupt access to a system or destroy it by shutting it down or rebooting it. Attackers can be done by wiping the master boot record (MBR), rebooting the system, or using a scheduled system to cause a shutdown or reboot. In shutdown remote device, the keywords associated with attack include system restart, system shutdown, device restart, device shutdown [[193], [194], [195], [196]].

Table 9.

Techniques distinguished and defined for defense evasion intervals.

Defense evasion	Description
Masquerading	Attempts to appear legitimate or harmless to users or security tools by manipulating the artifact's functionality.
Disguise root/jailbreak indicators	Avoid detection by mobile security programs by jailbreaking or rooting mobile devices.
Evade analysis environment	Detect and prevent virtualization and analytics environments.
Obfuscating files or information	Encrypt, encode, or obfuscate content on systems or in transit to make files challenging to navigate or analyze.
Geofencing	Attackers can use geographic locations to restrict specific malicious actions.
Remote shutdown device	System access through shutdown or reboot may be interrupted, or the system may be destroyed.

Credential Access: Credential access is where an attacker can access sensitive data by making authentication look legitimate. Credentials include uniform resource identifier hijacking and access to sensitive data in device logs.

Table 10 shows the details and definitions for the credential access method of attack execution [66,67]. Uniform resource identifier hijacking is an attack that intercepts sensitive data by registering a uniform resource identifier (URI). In uniform resource identifier hijacking, the keywords associated with attack include token, hijacking, URI [132,197]. Access sensitive data in device logs is an attack that uses a malicious application to obtain private keys, passwords, credentials, or sensitive data stored in a device's system logs. In access sensitive data in device logs, the keywords associated with attack include read_logs [239].

Table 10.

Techniques distinguished and defined for credential access intervals.

Credential access	Description
Uniform resource identifier hijacking	Registering URIs to intercept sensitive data.
Access sensitive data in device logs	Malicious applications with READ_LOGS permission can be used to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log.

Discovery: Discovery is the section that explores and collects related information for further damage after the attack. Exploration is categorized into system network connections discovery, UE knocking, and gather victim host information: internal resource search.

Table 11 shows the details and definitions for the discovery method of attack execution [66,68,69]. System network connections discovery is a method that attempts to obtain a list of network connections to the compromised system or remote systems accessed to get information over the network. In system network connections discovery, the keywords associated with attack include netstat, state, Wi-Fi info, Internet connection discovery [[198], [199], [200], [201]]. UE knocking is a method that uses knocking on the user's device to determine the results via syn, ack. In UE knocking, the keywords associated with attack include knocking [240]. Gather victim host information: internal resource search is a method of obtaining sensitive data by searching the internal resources of the victim of an attack. In gather victim host information: internal resource search, the keywords associated with attack include victim [241].

Table 11.

Techniques distinguished and defined for discovery intervals.

Discovery	Description
System network connections discovery	Attempts to obtain a list of network connections with compromised or remote systems.
UE knocking	Check the recovery result of syn, ack by using knocking on the user's device.
Gather victim host information internal resource search	Obtain sensitive data by searching the internal.

Lateral Movement: Internal propagation is where an attack takes place after an attack to cause additional damage based on information gathered from detection. Two types of internal propagation are Adversary in the Middle Attack and Abusing Interworking functionalities.

Table 12 shows the details and definitions for the lateral movement method of attack execution [70]. An adversary in the middle attack is an attack where an attacker manipulates between two or more network devices to gather information through network sniffing after discovery. In adversary in the middle attack, the keywords associated with attack include transmitted data manipulation, AitM [53,202,203]. Abusing interworking functionalities is an attack that exploits interworking functionalities. In abusing interworking functionalities, the keywords associated with attack include IoT application [242].

Table 12.

Techniques distinguished and defined for lateral movement intervals.

Lateral movement	Description
Adversary in the middle attack	Attempts to specify a location between two or more network devices
Abusing interworking functionalities	A method of exploiting interlocking functions
Replication through SMS	The method of replication via SMS
Replication through Bluetooth	The method of replication via Bluetooth
Replication through WLAN	The method of replication via WLAN
Replication through IP	The method of replication via IP

Collection: In the collection phase, information is collected that causes additional damage based on the internal spread. The collection section is divided into collect critical data access from device logs and collect network traffic Capture.

Table 13 shows the details and definitions for the collection method of attack execution [71]. Collect critical data Access from device logs is a method of accessing device logs to collect critical data for attacks. In collect critical data access from device logs, the keywords associated with attack include log. Collect network traffic capture collects packets through traffic capture or redirection. In collect network traffic capture, the keywords associated with attack include packet, network traffic.

Table 13.

Techniques distinguished and defined for collection intervals.

Collection	Description
Access sensitive data in device logs	Access device logs to gather critical data for attacks.
Network traffic capture or redirection	Collect packets by capturing or redirecting network traffic.

Command and Control: Command and control(C&C) is an attack an attacker uses to communicate with and control a system inside the target network. Command and control are categorized into application layer protocol, communication via Bluetooth, and communication via wireless local area network(WLAN).

Table 14 shows the details and definitions of command and control among the attack execution methods [72]. Application layer protocol refers to attacks that use application layer protocols to communicate. In Application layer protocol, the keywords associated with attack include web protocols [51]. Commands to the mobile device and often the results of those commands are contained within the protocol traffic between the mobile device and the server. In communication via Bluetooth, the keywords associated with attack include Bluetooth [243]. Communication with Bluetooth refers to attacks that use Bluetooth to communicate. Communication via WLAN refers to attacks that use WLAN to communicate. In communication via WLAN, the keywords associated with attack include WLAN [244].

Table 14.

Techniques distinguished and defined for command and control intervals.

Command and control	Description
Application layer protocol	Attackers mix with existing traffic and communicate using application layer protocols to avoid detection/network filtering.
Communication via Bluetooth	An attack that uses Bluetooth to find a contact point.
Communication via WLAN	An attack that uses WLAN to find a contact point.

3.1.3. Attack result

The attack result summarizes the impact of additional attacks or damage states after an attack. Attack result is categorized into exfiltration, impact, 5G Service, legacy mobile telecommunication network, and type of botnet.

Exfiltration: Exfiltration refers to the leakage of information or compromise of a device based on information collected after an attack. Exfiltration is categorized into automated exfiltration, data encrypted, and alternate network mediums.

Table 15 shows the details and definitions of exfiltration in attack results [73,74]. Automated exfiltration refers to attacks that exfiltrate data through automated processing while collecting data, such as sensitive documents. In automated exfiltration, the keywords associated with attack include traffic duplication, C&C, alternative protocol, traffic mirroring [132,207,208]. When using automated exfiltration, other exfiltration techniques, such as exfiltration over C&C channels and exfiltration over alternative protocols, can also be applied to send information outside the network. Data encrypted is an attack that encrypts files stored on a mobile device to prevent users from accessing them. In data encrypted, the keywords associated with attack include ransomware, decryption key [209,210]. Identification monetary compensation from the victim in exchange for a decryption or decryption key (ransomware) or permanently making data inaccessible if the key is not stored or transmitted. Alternate Network Media is an attack that uses out-of-band data to communicate with a compromised device. In alternate network mediums, the keywords associated with attack include out of band data, evading network traffic monitoring [211].

Table 15.

Techniques distinguished and defined for exfiltration intervals.

Exfiltration	Description
Automated exfiltration	Attackers can exfiltrate data, such as sensitive documents, through automated processing after collection.
Data encrypted	Attackers encrypt files stored on mobile devices to prevent users from accessing them
Alternate network Mediums	An attacker could use out-of-band data to communicate with a compromised device.

Impact: Impact means that the attacker causes much damage through additional attacks after the attack. The impact is categorized into data manipulation, endpoint DoS, generate traffic from the victim, jamming or DoS, and location tracking.

Table 16 shows the details and definitions of impact in attack results [75,76]. Data manipulation allows an attacker to threaten data integrity by inserting, deleting, and manipulating data to influence external results or hide activities. In data manipulation, the keywords associated with attack include stored data manipulation, transmitted data manipulation, runtime data manipulation [53]. Endpoint DoS allows an attacker to degrade or block the availability of a service to users by exhausting the service's system resources and causing it to crash. DoS attacks are used to further malicious behavior. In endpoint DoS, the keywords associated with attack include OS exhaustion flood, service exhaustion flood, application exhaustion flood, application or system exploitation [132,196,212,213]. Generate traffic from the victim allows an attacker to generate outbound traffic to a device. In generate traffic from victim, the keywords associated with attack include mobile manipulate external outcome, carrier billing fraud, fraudulent ads, general web traffic [[214], [215], [216]]. This can be used to manipulate external results, such as fraudulent payments from carriers or manipulating rankings or ratings in app stores. Jamming or DoS allows an attacker to block a mobile device's communication by jamming radio signals to reduce or block availability. Jamming or DoS allows an attacker jamming wireless signals to block communications on a mobile device to reduce or block availability. In jamming or DoS, the keywords associated with attack include degrade resources, block resources, device restart/shutdown, reaction to other events [[217], [218], [219]]. Location tracking enables an attacker to track the physical location of a target using the target's standard operating system APIs or to bypass them. In location tracking, the keywords associated with attack include remote device management services, track the location of mobile, impersonate SS7 nodes, lack of authentication in signaling system network nodes [220].

Table 16.

Techniques distinguished and defined for impact intervals.

Impact	Description
Data manipulation	Attackers can manipulate data to affect external results or to hide activity, threatening the integrity of the data.
Endpoint DoS	Attackers can reduce or block service availability to users.
Generate traffic from the victim	Attackers can generate outbound traffic that scams mobile carriers or sends fake SMS.
Jamming or DoS	Attackers can perform DoS attacks to reduce or block resource availability.
Location tracking	Attackers can track the target's physical location using the target's standard operating system API.

5G Service: 5G service is used when an attack targets 5G infrastructure. The main areas of 5G services are categorized. 5G service is categorized into smart home, smart factory, digital healthcare, smart vehicle, besides that.

Table 17 shows the details and definitions of 5G service in attack result [2,[77], [78], [79]]. Smart homes connect you to the various appliances in your home and allow you to remotely control gas, heat, air conditioning, control lighting, and more. It means an attack that targets it. In smart home, the keywords associated with attack include resource constraints, absence of authentication method [221]. The smart factory is a field where sensors are installed on device and machines to collect and analyze data in real-time to analyze and control the situation in the factory. It is possible to freely link data between the pre-and post-processes of the smart factory and check issues in each section of the production site. It means an attack that targets it. In smart factory, the keywords associated with attack include machine to machine (M2M) communication, lack of security monitoring by access point name (APN) [222]. Digital healthcare is a field that deals with information, devices, systems, and platforms related to personal health and medical care. Doctors and medical institutions, and individuals can freely exchange medical services. It can be accessed through smartphones, medical measurement accessories, and healthcare-related applications. This means attacks against them. In digital healthcare, the keywords associated with attack include hacking protected health information (PHI) [[223], [226]]. A smart vehicle refers to a connected, networked car that provides various services. It is a field that deals with realizing autonomous driving while giving different information about the vehicle. It involves safe autonomous driving or driving assistance functions and exchanging information about the car and traffic flow. It refers to attacks that target these. In smart vehicle, the keywords associated with attack include traceability attack, user impersonation attack, fails to support session key establishment, fails to provide third party authentications [224,225]. In addition to smart energy IoT solutions, various fields such as delivery and agriculture be applied in the future. The division will be subdivided when it is expanded. In besides that, etc., the keywords associated with attack include smart energy, delivery, agriculture [245].

Table 17.

Techniques distinguished and defined for 5G service intervals.

5G Service	Description
Smart Home	Smart homes leverage a high level of connectivity, but constraints on resources and threats can arise where unauthorized communication protocols are used.
Smart Factory	Smart factories can provide incorrect data between control systems based on communication between devices, and incorrect data can pose threats at endpoints.
Digital Healthcare	Digital healthcare can threaten data forgery and tampering with healthcare systems.
Smart Vehicle	The smart vehicle may obtain a session key by impersonating a user of the smart means of transportation or identifying the location of the means of transportation, resulting in a threat.
Besides that	In addition to smart energy IoT solutions, various fields such as delivery and agriculture are being applied in the future, and when expanding, the division is subdivided.

External Interval: External interval refers to the interconnection zone of the attack target and the range that contains the attack target since the attack occurred. The external interval sections are divided into legacy mobile telecommunication network, 5G vertical provider, internet service provider, and internet network manager.

Table 18 shows the details and definitions of Legacy Mobile Telecommunication Network in Attack Result. Legacy Mobile Telecommunication Network refers to attacks that can occur due to vulnerabilities to IP-based attacks due to the unenforced security of legacy mobile telecommunication networks. In legacy mobile telecommunication network, the keywords associated with attack include distributed and uncoordinated security mechanisms, lack of adaptation, overprovisioned security mechanisms, vulnerability to IP-based attacks [226]. 5G Vertical Provider refers to a 5G vertical service that extends the functionality of mobile telecommunications services to the business-to-business (B2B) area and provides specialized services by introducing various functions of 5G to mobile telecommunications and other existing vertically integrated industries. In 5G vertical provider, the keywords associated with attack include network function virtualization (NFV) and network slicing, management and orchestration software [227]. Internet Service Provider Vulnerabilities, such as insecure IoT systems, can be exponentially amplified in a 5G environment, and ISPs can fall victim to them. Internet Network Manager Internal network administrators can be further victimized by higher-level administrators who manage the network after an attack. In Internet service provider, the keywords associated with attack include difficulty with network address and port translation (NAPT), multiple attacks allowing remote code execution, ISP [228,246].

Table 18.

Techniques distinguished and defined for external interval.

External Interval	Description
Legacy mobile telecommunication network	Unapplied security of legacy mobile networks leads to vulnerabilities against IP-based attacks.
5G vertical provider	It refers to providing specialized services by introducing various functions of 5G to telecommunications and other vertically integrated industries.
Internet service provider	Vulnerabilities such as insecure IoT systems can amplify exponentially in a 5G environment.
Internet network manager	Internal network managers have the potential for additional damage through higher-level administrators who have managed the network since the attack occurred.

Type of Botnet: Type of botnet refers to the type of botnet attack. Type of botnet consists of IRC botnet, P2P botnet, HTTP botnet, DGA botnet, and Wireless botnet.

Table 19 shows the details and definitions of the Type of botnet in Attack Result [[80], [81], [82], [83], [84], [85]]. IRC botnet refers to a botnet that uses the IRC protocol, and the bot master controls the vertical and horizontal scanning. In IRC botnet, the keywords associated with attack include agobot, botmaster controlled horizontal and vertical scanning, TCP, IRC [81,229]. P2P botnet means a botnet that uses peer-to-peer communication and performs centralized control. In P2P botnet, the keywords associated with attack include centralized control, blackbox techniques, UDP [48,230]. HTTP botnet is a botnet that uses the HTTP protocol and uses a C&C server. In HTTP botnet, the keywords associated with attack include encrypted communication channel, HTTP [231,232]. DGA botnet is a botnet that uses a wholesaler generation algorithm (DGA) to avoid IPS. In DGA botnet, the keywords associated with attack include evade IPS, whitelist, blacklist, DGA [82,233]. Wireless botnet is a botnet that utilizes wireless networks and can be attacked by exploiting wireless network vulnerabilities. In wireless botnet, the keywords associated with attack include access points, wireless DoS (WDoS), MAC vulnerabilities, wireless [85].

Table 19.

Techniques distinguished and defined for type of botnet intervals.

Type of botnet	Description
IRC botnet	A botnet using the IRC protocol.
P2P botnet	A botnet that uses peer-to-peer communication.
HTTP botnet	A botnet using the HTTP protocol
DGA botnet	A botnet that uses the Domain Creation Algorithm (DGA)
Wireless botnet	A botnet using a wireless network

3.2. Deriving countermeasures through I3TM

Based on I3TM framework, we can easily respond to newly observed botnet attacks. Deriving countermeasures against attacks largely consists of three steps: extracting keywords, writing report, and drawing countermeasures.

3.2.1. Extracting keywords

Botnet conducts adversarial behaviors through multiple steps. If we can capture the characteristics of the steps, it is easily revealed what kind of botnet is. For this, we characterize the botnet with relevant keywords. Based on our exhaustive research on various previously reported botnets, we prepared a reference (see Appendix A) which contains various keywords reflecting botnet's nature. Our keyword reference is built with same TTP structures of I3TM framework. That means if analyst identifies specific tactics and techniques for observed botnet, analyst just selects proper keywords in corresponding TTP category. If there is no suitable keyword in the category, it is allowed to extend the reference by adding a new keyword.

3.2.2. Writing report

Based on the analysis result, we write a report summarizing the botnet's characteristics. Fig. 3 depicts a sample report format. One can adopt any report format other than Fig. 3. But we recommend that the report include at least the following information: botnet's basic information, flow diagram, TTP, vulnerabilities-and-targets, and keywords. Basic information could include botnet's behavioral features (including name) such as device access and damage (Attack case in Fig. 3); Flow diagram should describe botnet's attack flow (Attack process in Fig. 3); TTP represents specific adversarial tactics and techniques used by botnet (Service, Device, and Network section in Fig. 3); For the known botnet attack, analyst may identify vulnerabilities exploited by botnet and their targets (vulnerabilities, CVE, and target equipment in Fig. 3); Report contains keywords which are extracted in previous step. All these information makes understanding botnet easier.

Fig. 3.

Attack analysis Reporting form.

3.2.3. Drawing countermeasures

Finally, we derive countermeasures against observed botnet based on the report, which is written in previous step. Basically, this paper focuses on the constructing the novel threat modeling framework suitable for botnet attacks in IoT environments. But this framework can be employed for drawing countermeasures against botnet attack. Since the analysis report includes detailed information of botnet, we can match proper strategies for detection or migration with corresponding attack behaviors. Because of scoping of this study, we do not present reference for countermeasures. But analyst can draw proper countermeasures from other threat modeling frameworks such as MITRE ATT&CK and D3FEND [247]. Note that I3TM framework do not share same TTPs with MITRE frameworks. Therefore, analyst should put in some effort to match I3TM framework's TTPs with MITRE frameworks' TTPs. We leave this as an open problem and will address it in the next study.

3.3. Probability-based prediction and scenario analysis

In this section, we introduce the probabilistic models used to predict Tactics and Techniques in IoT botnet attacks. The models calculate the likelihood of specific attack tactics based on extracted keywords from reports, enhancing the I3TM framework's ability to respond effectively to ongoing attacks. The likelihood of specific tactics $T_j$ being used in an IoT botnet attack is calculated using the following equation.

$$\begin{array}{c}P\left(T_j\right)=\sum _{i=1}^n{\mathrm{\omega }}_i\bullet P\left(K_i|T_j\right)\end{array}$$ (1)

Where $P\left(T_j\right)$ is the probability of a specific Tactic $T_j$, ${\mathrm{\omega }}_i$ is the weight of the keyword $K_i$, $P\left(K_i|T_j\right)$ is the conditional probability of $K_i$ given $T_j$ and $K_i$ represents a keyword (specific terms or phrases) extracted from attack reports used to identify and analyze relevant tactics. The weight ${\mathrm{\omega }}_i$ is determined using term frequency-inverse document frequency (TF-IDF), which calculates the importance of each keyword based on its frequency within the document and its rarity across multiple reports. By analyzing this probability, as shown in Eq. 1, I3TM can provide a more accurate forecast of the attack's progression, allowing for timely responses. This model can be implemented using various natural language processing (NLP) techniques, such as TF-IDF, to determine the significance of each keyword by calculating its frequency in the attack reports relative to its rarity across multiple reports [248]. Word2Vec helps capture semantic relationships between keywords by representing them as vectors in a continuous space [249]. Bidirectional encoder representations from transformers (BERT) provides deep contextual analysis by considering the bidirectional relationships between words, thereby helping to understand the full context of the attack [250]. In this context, BERT is used to train Eq (1), allowing it to predict the most likely tactic $T_j$ based on the given keyword inputs. By leveraging BERT's ability to understand the bidirectional relationships between words, it plays a crucial role in predicting the tactic that is most relevant to the attack scenario. Additionally, the model incorporates a scenario analysis framework to predict potential attack pathways by evaluating the expected number of occurrences of an event during a botnet attack, allowing for the calculation of the expected attack scenario using the following formula.

$$\begin{array}{c}E\left[Attack\right]\approx \frac{1}{m}\sum _{j=1}^{m}P\left(T_j\right)\end{array}$$ (2)

Where $E\left[Attack\right]$ is the expected number of attack events, $P\left(T_j\right)$ is the probability of event $T_j$ occurring. By using this probabilistic scenario analysis model, the framework can predict potential attack pathways, enabling better preparation and response to IoT botnet attacks.

4. Case study

This section shows the process of attack reports of attack cases and a case study with Medusa botnets that have occurred since 2022.

4.1. Case-based application methods – Medusa Botnet

This section shows an example of creating an attack analysis report based on a report for application to a written framework. We analyze botnet threat information or methods and use them in threat modeling frameworks.

4.1.1. Medusa Botnet

In 2023, the Medusa botnet, a variant of the Mirai botnet, was discovered. When executed, the Mirai botnet connects to the C&C server, retrieves the file "medusa_stealer.sh", and executes it [86,87]. The Medusa botnet receives commands from the C&C server to perform malicious methods such as DDoS, ransomware, and brute force attacks. The Medusa botnet launches DDoS using a spoofed IP address or the IP address of the victim computer where the client is installed. It uses the Spoofer() function to generate random Ip addresses, making it difficult for victims to determine the origin of the DDoS. The Medusa botnet uses the MedusaRansomware() function to encrypt files. The Medusa botnet can also use the scanworld function to perform brute-force attacks against Telnet services on Internet-connected devices. It listens for the "FivemBackdoor" and "ssh login" commands to allow backdoor access and SSH login attempts. The send_data() function collects various information about the system and sends it to a remote server located at "hxxps://medusa-stealer[.]cc/add/bot". The send_data() function internally calls the all_data_system() function to collect information such as username, hostname, IP address, operating system, CPU and RAM usage, total number of CPU cores, and system unique identifier.

keyword: Scan, Brute forcing credentials, Telnet, SSH, Ransomware, Brute Forcing, DDoS, Flooding.

4.1.2. Attack analysis report - Medusa Botnet

Apply the Medusa botnet to the attack analysis report and configure it, as shown in Fig. 4 The Medusa botnet is not showing any attacks or victimizations and is currently defined as a threat of possible attacks through code analysis.

Fig. 4.

Medusa botnet applied to attack analysis report.

4.1.3. I3TM framework - Medusa Botnet

Fig. 5 shows the application of the Medusa botnet keyword based metrics (Appendix A) to the threat modeling framework.

Fig. 5.

Threat modeling framework applied to medusa botnet.

4.2. Comparative Analysis of threat modeling framework attacks

We compare I3TM framework with existing framework [251] for Medusa botnet. Company C represents the analysis results for Medusa botnet based on MITRE ATT&CK for enterprise as shown in Fig. 6.

Fig. 6.

Existing framework Medusa Botnet MITRE ATT&CK Application.

In this work, two attack techniques (discovery and command-and-control) were derived. On the other hand, seven corresponding attack techniques were identified through I3TM framework (Fig. 7).

Fig. 7.

Comparative Analysis of existing framework based on Medusa Botnet and the presentation method of this paper.

5. Discussion

We proposed a botnet-based threat modeling framework for 5G massive IoT networks, utilizing a keyword-based detection method. The effectiveness of this approach was validated through the analysis of the Medusa botnet, employing our Attack Analysis Report and the I3TM framework. The proposed framework offers a foundational step toward improving IoT botnet attack detection and serves as a significant contribution to the broader field of botnet-based threat modeling for 5G IoT environments. Our framework analyzed the Tactics, Techniques, and Keywords associated with six representative botnets: Mirai, Hajime, IoT Reaper, Satori, Pink, and Mozi. Additionally, we evaluated four major threat modeling frameworks (MITRE ATT&CK, MITRE FiGHT, Bhadra Framework, and CMTMF) to benchmark our approach and validate the I3TM framework's unique contributions. One of the main limitations of our study lies in the need for periodic updates to the generated keywords. As IoT botnet attacks evolve, new keywords, tactics, and techniques must be continuously added. The keywords presented in this study, while drawn from existing attack literature, will require further updates based on real-time attack analyses. Furthermore, the limited number of keywords currently available might reduce objectivity until more data is accumulated, potentially influencing the consistency of analysis. Another limitation is the necessity to adjust the framework when encountering new attack methods, requiring the development of new keywords and tactics accordingly. Although we referenced additional tactics and techniques from MITRE ATT&CK, CMTMF, and the Bhadra Framework, continuous research into emerging attacks remains necessary to maintain the relevance of the I3TM framework. Additionally, we suggest using the framework to derive keywords that detect attacks objectively, minimizing analysts' subjective biases. Our analysis of the Medusa botnet through the I3TM framework demonstrated that we could identify seven key tactics used in the attack. Further studies are needed to explore log-based detections, refine fast and effective attack detection methods, and propose concrete countermeasures. In this paper, we introduced MITRE ATT&CK and D3FEND as potential countermeasures, but this remains an open research question requiring additional investigation. To the best of our knowledge, this study is the first to propose a threat modeling framework specifically tailored for IoT, marking a significant contribution to the field. Future work will focus on refining the framework and further validating it through real-world IoT attack scenarios.

6. Conclusion and future work

This paper presents a threat modeling framework for botnets targeting the IoT. In particular, we aim to provide a unified framework for analyzing security threats that target or use the IoT and present a methodology for applying the framework. Many touchpoints are connected when an attack against the IoT occurs, and much damage can be caused. After an attack is detected, a quick response is required to minimize the damage, and we aim to analyze common patterns and trends in attacks. In this paper, we propose an I3TM framework that derives keywords for detecting attacks when they occur and judges them from an objective rather than an analyst's subjective position. The keywords proposed in this paper are based on six cases of botnets before 2021 and other referenced documents and reports and should be continuously updated for additional attacks. The research on the response direction is currently proposed based on MITRE ATT&CK's Mitigation. Still, it remains an additional future work direction to respond to IoT. We also consider additional log-based detection analysis through the framework or specifying a fast and effective detection method when an attack is detected as additional research.

CRediT authorship contribution statement

Hojun Jin: Writing – review & editing, Writing – original draft, Project administration, Methodology, Investigation, Conceptualization. GyuHyun Jeon: Resources. Hee Won Aneka Choi: Writing – review & editing. Seungho Jeon: Writing – review & editing, Validation, Supervision. Jung Taek Seo: Validation, Supervision.

Declaration of competing interest

The authors declare the following financial interests/personal relationships which may be considered as potential competing interests:Jung Taek Seo reports financial support was provided by institute for information and communication technology planning and evaluation. - This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2021-0-00493, 5G Massive Next Generation Cyber Attack Deception Technology Development)

Jung Taek Seo reports financial support was provided the Korea Foundation of Nuclear Safety.- This work was supported by the Korea Foundation of Nuclear Safety (KoFONS) grant funded by the Nuclear Safety and Security Commission (NSSC) of the Republic of Korea (RS-2021-KN051410, Development of cyber incident response assessment technology for critical digital assets of nuclear power plant).

Appendix A. Threat Modeling Framework Keyword-Based Metrics

Table A1 shows the keywords applicable to the I3TM framework in this thesis as objective metrics for Tactic. The keywords are derived from papers, reports, etc. This indicator extracts the keywords that applied the attack analyzed report based on the attack cases before 2021, and newly generated keywords should be added through additional attacks or cases.

Table. A1.

Keyword-based Threat Modeling Framework

	Tactics	Techniques	Keyword					Ref	Identifier
Attack Mounting	Reconnaissance	Active scanning	Scan	Random	Scanning IP blocks	Vulnerability scanning	Wordlist scanning	[[88], [89], [90], [91], [92]]	[A-1]
		Passive scanning	Dictionary attack	Shodan	Censys (ZMap)	Masscan		[37,93,94]	[A-2]
		Gather UE identity information	Identity	Credentials	Personal and business accounts	E-mail addresses	Employee names	[[95], [96], [97], [98], [99]]	[A-3]
		Gather UE network information	Administrative data	Network domain	Gather DNS	Network trust dependencies	Network topologies	[88,[100], [101], [102], [103], [104]]	[A-4]
			IP addresses	Network security appliances
		Phishing information	Phishing	Spearphishing	Instant messages	Spearphishing messages	Spearphishing service	[42,[105], [106], [107]]	[A-5]
			Spearphishing attachment	Spearphishing link	Malicious link	Malicious attachment
		Social media information	Social engineering	Phishing	Social media platform	Public information		[108,109]	[A-6]
	Resource development	Develop capabilities	Develop capabilities exploits	Malware	Malware components	Payloads	Droppers	[[110], [111], [112], [113]]	[B-1]
			Post-compromise tools	Backdoors	Packers	Code signing certificates	Self-signed SSL/TLS certificates
			Develop exploits
		Obtain capabilities	Download	Purchase	Opensource	Cracked	Steal	[111,114,115]	[B-2]
		Stage capabilities	Upload/Install/Set up capabilities (upload malware/tool)	Install SSL/TLS certificates	Drive-by target (Drive-by download)	Malicious link	Influence search engine optimization (SEO)	[119]	[B-3]
			SEO poisoning
		Compromise accounts	Compromise accounts	Brute forcing credentials	Credential dumps	Social media accounts	Email accounts	[45,[120], [121], [122], [123], [124]]	[B-4]
			Cloud accounts
	Infection Section	Router access	Wi-Fi	IEEE 802.11	Wired LAN	Wireless router		[[125], [126], [127]]	[C-1]
		Smart phone/APP access	Market	Android	IOS	System apps	APK	[[128], [129], [130]]	[C-2]
		Removable media access	USB	Sd card				[50,131]	[C-3]
	Initial Access	Exploit public facing application	Internet-facing computer	Advantage of a weakness	Glitch	Design vulnerability	Escape to host	[[132], [133], [134], [135]]	[D-1]
			Web server
		Install insecure or malicious	Install insecure configuration	Install malicious configuration				[136,137]	[D-2]
		Masquerade as legitimate application	Masquerading	Masquerade	App stores	Legitimate application		[[138], [139], [140]]	[D-3]
		Exploit through removable media	Charging station	USB connect	Intercepting (calls)	Network traffic	Device physical location	[[141], [142], [143], [144], [145]]	[D-4]
			Radio interface	SMS parser	Vulnerable SIM cards
		Insider attacks and human errors	Intentional attacks	Unintentional mistakes	Insiders	Insiders bring	Former employees	[11,146,147]	[D-5]
			Whistleblowers
		Firmware overwrite	Firmware (update)	Overwrite	Boot	Replacement attack		[[148], [149], [150]]	[D-6]
AttackExecution	Process execution	Scheduled task	At	Cron	Launched	Scheduled task	System timers	[50,[151], [152], [153], [154]]	[E−1]
			Container orchestration job
		Command-line interface	CMD					[234]	[E−2]
		NodeB component manipulation	NodeB	3G				[235]	[E−3]
		eNodeB component manipulation	eNodeB	4G	LTE			[236]	[E−4]
		gNodeB component manipulation	gNodeB	5G	NR			[237]	[E−5]
	Persistence	Boot or logon autostart execution	Autostart	Autoplay	Autorun	Logon	Boot	[140,155,156]	[F-1]
		Foreground persistence	Startforeground					[238]	[F-2]
	Privilege escalation	Code injection	DLL injection	Portable executable injection	Hijacking	Asynchronous procedure call injection	TLS callback	[132,[157], [158], [159], [160], [161], [162], [163]]	[G-1]
			Proc memory	Extra window memory injection	Process hollowing	List planting
		Stealing protocol information	Protocol impersonation	Protocol tunneling	Application layer protocol	ARP	DNS	[[164], [165], [166], [167], [168], [169]]	[G-2]
			FTP	IMAP	POP3	SIP	SMB
			SMTP	SNMP	SSH	Telnet	VNC
		Stealing the key	Encryption key					[170]	[G-3]
		Stealing a certificate	Digital certification					[171]	[G-4]
	Defense evasion	Masquerading	Invalid code signature	Right-to-left override	Rename system utilities	Masquerade task or service	Match legitimate name or location	[53,[172], [173], [174], [175], [176], [177]]	[H-1]
			Space after filename	Double file extension	Rename
		Disguise root/jailbreak indicators	Rooting	Jailbreak				[178,179]	[H-2]
		Evade analysis environment	System checks	Virtualization /Sandbox evasion				[180,181]	[H-3]
		Obfuscated files or information	Binary padding	Software packing	Steganography	Compile after delivery	Indicator removal from tools	[[182], [183], [184], [185], [186], [187], [188], [189], [190]]	[H-4]
			HTML smuggling	Dynamic API resolution	Stripped payloads	Embedded payloads
		Geofencing	GPS	LBS	Geographic			[191,192]	[H-5]
		Shutdown remote device	System restart	System shutdown	Device restart	Device shutdown		[[193], [194], [195], [196]]	[H-6]
	Credential access	Uniform resource identifier hijacking	Token	Hijacking	URI			[132,197]	[I-1]
		Access sensitive data in device logs	READ_LOGS					[239]	[I-2]
	Discovery	System network connections discovery	Netstat	State	WIFI info	Internet connection discovery		[[198], [199], [200], [201]]	[J-1]
		UE knocking	Knocking					[240]	[J-2]
		Gather victim host information: internal resource search	Victim					[241]	[J-3]
	Lateral Movement	Adversary in the middle attack	Transmitted data manipulation	AitM				[53,202,203]	[K-1]
		Abusing interworking functionalities	IoT application					[242]	[K-2]
		Replication through SMS	SMS					[204]	[K-3]
		Replication through Bluetooth	Bluetooth					[204]	[K-4]
		Replication through WLAN	WLAN					[205]	[K-5]
		Replication through IP	IP					[206]	[K-6]
	Collection	Collect critical data access from device logs	Log						[L-1]
		Collect network traffic capture	Packet	Network traffic					[L-2]
	Command and Control	Application layer protocol	Web Protocols					[51]	[M − 1]
		Communication via Bluetooth	Bluetooth					[243]	[M − 2]
		Communication via WLAN	WLAN					[244]	[M − 3]
Attack Result	Exfiltration	Automated exfiltration	Traffic duplication	C&C	Alternative protocol	Traffic mirroring		[132,207,208]	[N-1]
		Data encrypted	Ransomware	Decryption key				[209,210]	[N-2]
		Alternate network mediums	Out of band data	Evading network traffic monitoring				[211]	[N-3]
	Impact	Data manipulation	Stored data manipulation	Transmitted data manipulation	Runtime data manipulation			[53]	[O-1]
		Endpoint DoS	OS exhaustion flood	Service exhaustion flood	Application exhaustion flood	Application or system exploitation		[132,196,212,213]	[O-2]
		Generate traffic from victim	Mobile manipulate external outcome	Carrier billing fraud	Fraudulent ads	General web traffic		[[214], [215], [216]]	[O-3]
		Jamming or DoS	Degrade resources	Block resources	Device restart/shutdown	Reaction to other events		[[217], [218], [219]]	[O-4]
		Location tracking	Remote device management services	Track the location of mobile	Impersonate SS7 nodes	Lack of authentication in signaling system network nodes		[220]	[O-5]
	5G Service	Smart home	Resource constraints	Absence of authentication method				[221]	[P-1]
		Smart factory	Machine to machine (M2M) communication	Lack of security monitoring by access point name (APN)				[222]	[P-2]
		Digital healthcare	Hacking protected health information (PHI)					[226]	[P-3]
		Smart vehicle	Traceability attack	User impersonation attack	Fails to support session key establishment	Fails to provide third party authentications		[224,225]	[P-4]
		Besides that, etc.	Smart energy	Delivery	Agriculture			[245]	[P-5]
	Legacy Mobile Telecommunication Network	Legacy mobile telecommunication network	Distributed and uncoordinated security mechanisms	Lack of adaptation	Overprovisioned security mechanisms	Vulnerability to IP-based attacks		[226]	[Q-1]
		5G vertical Provider	Network function virtualization (NFV) and network slicing	Management and orchestration software				[227]	[Q-2]
		Internet service provider	Difficulty with network address and port translation (NAPT)	Multiple attacks allowing remote code execution	ISP			[228,246]	[Q-3]
	Type of botnet	IRC botnet	Agobot	Botmaster controlled horizontal and vertical scanning	TCP	IRC		[81,229]	[R-1]
		P2P botnet	Centralized control	Blackbox techniques.	UDP			[48,230]	[R-2]
		HTTP botnet	Encrypted communication channel	HTTP				[231,232]	[R-3]
		DGA botnet	Evade IPS	Whitelist	Blacklist	DGA		[82,233]	[R-4]
		Wireless botnet	Access points	Wireless DoS (WDoS)	MAC vulnerabilities	Wireless		[85]	[R-5]