Search for a command to run...
The incorporation of the IoT into modern sociotechnical systems, alongside the rapid manufacturing of IoT devices with minimal embedded security, has significantly altered the cyber threat landscape. Consequently, modern cyberattacks now exploit compromised IoT devices to launch large-scale volumetric assaults or sophisticated advanced persistent threats (APTs) via carefully coordinated IoT botnets. Given the ever-changing structural dynamics of these botnets, tracking their activities presents significant challenges since malicious actors frequently adapt and employ new evasion techniques to expand their networks. This study introduces BotPro, a novel open-source tool built on a data-driven framework that captures and attributes the behavioural characteristics of IoT botnets. BotPro integrates honeypot telemetry, CTI feeds, and Internet topology data to profile scanning, infection, and propagation patterns, as well as cluster payloads to identify malware variants and assess AS-level risk exposure. Through a macroscopic measurement study spanning three years with 40 globally distributed honeypots covering 193 countries and 16K ASes, we show that BotPro can quantify the tolerance of Autonomous Systems (ASes) as a function of botnet scanning and propagation properties. Our clustering evaluation achieved a Silhouette score of 0.54 with low Davies–Bouldin index values, confirming the coherence and separation of identified botnet groups. Hence, our findings provide substantial context to security experts and network operators for effectively designing and implementing next-generation defence and mitigation measures against current and future IoT botnets.