Host based detection of advanced MiniDuke style bots in smartphones through user profiling

Vishnu Teja Kilari, Guoliang Xue, Lingjun Li

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.

Original languageEnglish (US)
Title of host publication2015 IEEE Global Communications Conference, GLOBECOM 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Print)9781479959525
DOIs
StatePublished - Feb 23 2016
Event58th IEEE Global Communications Conference, GLOBECOM 2015 - San Diego, United States
Duration: Dec 6 2015Dec 10 2015

Other

Other58th IEEE Global Communications Conference, GLOBECOM 2015
CountryUnited States
CitySan Diego
Period12/6/1512/10/15

Fingerprint

Smartphones
traffic
social network
mismatch
Botnet
trend

Keywords

  • Botnets
  • Host based detection
  • Smartphones

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering
  • Communication

Cite this

Kilari, V. T., Xue, G., & Li, L. (2016). Host based detection of advanced MiniDuke style bots in smartphones through user profiling. In 2015 IEEE Global Communications Conference, GLOBECOM 2015 [7417011] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/GLOCOM.2014.7417011

Host based detection of advanced MiniDuke style bots in smartphones through user profiling. / Kilari, Vishnu Teja; Xue, Guoliang; Li, Lingjun.

2015 IEEE Global Communications Conference, GLOBECOM 2015. Institute of Electrical and Electronics Engineers Inc., 2016. 7417011.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kilari, VT, Xue, G & Li, L 2016, Host based detection of advanced MiniDuke style bots in smartphones through user profiling. in 2015 IEEE Global Communications Conference, GLOBECOM 2015., 7417011, Institute of Electrical and Electronics Engineers Inc., 58th IEEE Global Communications Conference, GLOBECOM 2015, San Diego, United States, 12/6/15. https://doi.org/10.1109/GLOCOM.2014.7417011
Kilari VT, Xue G, Li L. Host based detection of advanced MiniDuke style bots in smartphones through user profiling. In 2015 IEEE Global Communications Conference, GLOBECOM 2015. Institute of Electrical and Electronics Engineers Inc. 2016. 7417011 https://doi.org/10.1109/GLOCOM.2014.7417011
Kilari, Vishnu Teja ; Xue, Guoliang ; Li, Lingjun. / Host based detection of advanced MiniDuke style bots in smartphones through user profiling. 2015 IEEE Global Communications Conference, GLOBECOM 2015. Institute of Electrical and Electronics Engineers Inc., 2016.
@inproceedings{c3bba110d3ba47eb97d8eaefadb7a85d,
title = "Host based detection of advanced MiniDuke style bots in smartphones through user profiling",
abstract = "One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76{\%}, with false positive rate of less than 1{\%}.",
keywords = "Botnets, Host based detection, Smartphones",
author = "Kilari, {Vishnu Teja} and Guoliang Xue and Lingjun Li",
year = "2016",
month = "2",
day = "23",
doi = "10.1109/GLOCOM.2014.7417011",
language = "English (US)",
isbn = "9781479959525",
booktitle = "2015 IEEE Global Communications Conference, GLOBECOM 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Host based detection of advanced MiniDuke style bots in smartphones through user profiling

AU - Kilari, Vishnu Teja

AU - Xue, Guoliang

AU - Li, Lingjun

PY - 2016/2/23

Y1 - 2016/2/23

N2 - One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.

AB - One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.

KW - Botnets

KW - Host based detection

KW - Smartphones

UR - http://www.scopus.com/inward/record.url?scp=84964859673&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84964859673&partnerID=8YFLogxK

U2 - 10.1109/GLOCOM.2014.7417011

DO - 10.1109/GLOCOM.2014.7417011

M3 - Conference contribution

AN - SCOPUS:84964859673

SN - 9781479959525

BT - 2015 IEEE Global Communications Conference, GLOBECOM 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -