TY - GEN
T1 - Host based detection of advanced MiniDuke style bots in smartphones through user profiling
AU - Kilari, Vishnu Teja
AU - Xue, Guoliang
AU - Li, Lingjun
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015
Y1 - 2015
N2 - One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.
AB - One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages »public information» in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real- world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.
KW - Botnets
KW - Host based detection
KW - Smartphones
UR - http://www.scopus.com/inward/record.url?scp=84964859673&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964859673&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2014.7417011
DO - 10.1109/GLOCOM.2014.7417011
M3 - Conference contribution
AN - SCOPUS:84964859673
T3 - 2015 IEEE Global Communications Conference, GLOBECOM 2015
BT - 2015 IEEE Global Communications Conference, GLOBECOM 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 58th IEEE Global Communications Conference, GLOBECOM 2015
Y2 - 6 December 2015 through 10 December 2015
ER -