Towards Detection of Botnet Communication through Social Media by Monitoring User Activity

  • Pieter Burghouwt
  • Marcel Spruit
  • Henk Sips
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7093)


A new generation of botnets abuses popular social media like Twitter, Facebook, and Youtube as Command and Control channel. This challenges the detection of Command and Control traffic, because traditional IDS approaches, based on statistical flow anomalies, protocol anomalies, payload signatures, and server blacklists, do not work in this case. In this paper we introduce a new detection mechanism that measures the causal relationship between network traffic and human activity, like mouse clicks or keyboard strokes. Communication with social media that is not assignably caused by human activity, is classified as anomalous. We explore both theoretically and experimentally this detection mechanism by a case study, with as a Command and Control channel, and demonstrate successful real time detection of botnet Command and Control traffic.


Social Medium Detectable Anomaly Detection Mechanism User Event Measured Response Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahn, L.V., Blum, M., Hopper, N., Langford, J.: Captcha: Using Hard Ai Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: Proc. of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet SRUTI 2005. USENIX Association, Cambridge (2005)Google Scholar
  3. 3.
    Davis, C.R., Fernandez, J.M., Neville, S., McHugh, J.: Sybil attacks as a mitigation strategy against the storm botnet. In: Proc. of the 3rd International Conference on Malicious and Unwanted Software MALWARE 2008. IEEE, Alexandria (2008)Google Scholar
  4. 4.
    Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papagiannaki, D.: Exploiting Temporal Persistence to Detect Covert Botnet Channels. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 326–345. Springer, Heidelberg (2009)Google Scholar
  5. 5.
    Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proc. of the first USENIX Workshop on Hot Topics in Understanding Botnets HOTBOTS 2007. USENIX Association (2007)Google Scholar
  6. 6.
    Gorman, G.O.: Google groups trojan (2009) (visited January 2011)
  7. 7.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proc. of the 17th USENIX Security Symposium SECURITY 2008. USENIX Association, Berkeley (2008)Google Scholar
  8. 8.
    Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-bot: Improving service availability in the face of botnet attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation NSDI 2009. USENIX Association, Berkeley (2009)Google Scholar
  9. 9.
    Holz, T., Gorecki, C., Rieck, K., Freiling, C.: Measuring and detecting fast-flux service networks. In: Proc. of Symposium on Network and Distributed System Security NDSS 2008. The Internet Society (2008)Google Scholar
  10. 10.
    Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 511–528. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Lelli, A.: Trojan.whitewell: What’s your (bot) facebook status today? (2009), (visited December 2010)
  12. 12.
    Mol, J.J.D., Pouwelse, J.A., Epema, D.H.J., Sips, H.J.: Free-riding, fairness, and firewalls in p2p file-sharing. In: Proc. of the Eighth International Conference on Peer-to-Peer Computing P2P 2008. IEEE (2008)Google Scholar
  13. 13.
    Nazario, J.: Twitter-based botnet command channel (August 2009), (visited October 2010)
  14. 14.
    Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: Proc. of the 3rd International Conference on Malicious and Unwanted Software MALWARE 2008. IEEE, Alexandria (2008)Google Scholar
  15. 15.
    Porras, P., Saidi, H., Yegneswaran, V.: A foray into conficker’s logic and rendezvous points. In: Proc. of the Second USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, and More LEET 2008. USENIX Association, Boston (2009)Google Scholar
  16. 16.
    Provos, N.: A virtual honeypot framework. In: Proc. of the 13th Conference on the USENIX Security Symposium SSYM 2004. USENIX Association, San Diego (2004)Google Scholar
  17. 17.
    Schiller, C., Binkley, J.: Botnets: The Killer Web Applications, 1st edn. Syngress Publishing, Rockland MA (2007)Google Scholar
  18. 18.
    Stinson, E., Mitchell, J.: Towards systematic evaluation of the evadability of bot/botnet detection methods. In: Proc. of the 2nd Conference on USENIX Workshop on Offensive Technologies WOOT 2008. USENIX Association, Berkeley (2008)Google Scholar
  19. 19.
    Taylor, K.: An Analysis of Computer Use across 95 Organisations in Europe, North America and Australasia. Tech. rep., Wellnomics (2007)Google Scholar
  20. 20.
    Vo, N.H., Pieprzyk, J.: Protecting web 2.0 services from botnet exploitations. In: Proc. of the 2nd Workshop on Cybercrime and Trustworthy Computing CTC 2010. IEEE, Washington, DC (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Pieter Burghouwt
    • 1
  • Marcel Spruit
    • 1
  • Henk Sips
    • 1
  1. 1.Delft University of TechnologyThe Netherlands

Personalised recommendations