Abstract
As the use of mobile devices spreads dramatically, hackers have started making use of mobile botnets to steal user information or perform other malicious attacks. To address this problem, in this paper we propose a mobile botnet detection system, called MBotCS. MBotCS can detect mobile device traffic indicative of the presence of a mobile botnet based on prior training using machine learning techniques. Our approach has been evaluated using real mobile device traffic captured from Android mobile devices, running normal apps and mobile botnets. In the evaluation, we investigated the use of 5 machine learning classifier algorithms and a group of machine learning box algorithms with different validation schemes. We have also evaluated the effect of our approach with respect to its effect on the overall performance and battery consumption of mobile devices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Stream index is a number applied to each TCP conversation seen in the traffic file.
References
Alpcan, T., Bauckhage, C., Schmidt, A.-D.: A probabilistic diffusion scheme for anomaly detection on smartphones. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 31–46. Springer, Heidelberg (2010)
Batyuk, L., Herpich, M.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In: 2011 6th International Conference Malicious Unwanted Software, pp. 66–72 (2011)
Bhargava, D., et al.: Decision tree analysis on j48 algorithm for data mining. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3(6), 1114–1119 (2013)
Bläsing, T., et al.: An android application sandbox system for suspicious software detection. In: Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, pp. 55–62 (2010)
Boland, M.V., Murphy, R.F.: A neural network classifier capable of recognizing the patterns of all major subcellular structures in fluorescence microscope images of HeLa cells. Bioinformatics 17(12), 1213–1223 (2001)
Braun, L., Münz, G., Carle, G.: Packet sampling for worm and botnet detection in TCP connections. In: Proceedings of the 2010 IEEE/IFIP Network Operations and Management Symposium, NOMS 2010, pp. 264–271 (2010)
Chappell, L.A., Combs, G.: Wireshark 101: Essential Skills for Network Analysis. Protocol Analysis Institute, Chappell University, San Jose (2013)
Funk C., Garnaeva M.: Kaspersky security bulletin (2013). https://securelist.com/analysis/kaspersky-security-bulletin/58265/kaspersky-security-bulletin-2013-overall-statistics-for-2013
Cisco: Cisco visual networking index: Global mobile data traffic forecast update, 2014–2019. Tech. report (2015). http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-520862.html
Cunningham, P., Delany, S.J.: k-nearest neighbour classifiers. In: Multiple Classifier Systems, pp. 1–17 (2007)
Eslahi, M., Salleh, R., Anuar, N.B.: MoBots: a new generation of botnets on mobile devices and networks. In: 2012 International Symposium on Computer Applications and Industrial Electronics, pp. 262–266 (2012)
Feizollah, A., et al.: A study of machine learning classifiers for anomaly-based mobile botnet detection. Malays. J. Comput. Sci. 26(4), 251–265 (2014)
Google: Google IP address ranges. https://support.google.com/a/answer/60764?hl=en. Accessed June 2015
Google: Dashboards. https://developer.android.com/about/dashboards/index.html. Accessed June 2015
Hall, M., et al.: The WEKA data mining software: an update. ACM SIGKDD Explor. Newsletter 11(1), 10–18 (2009)
Kalige, E., Burkey, D.: A case study of Eurograbber: How 36 million euros was stolen via malware. Versafe (White paper) (2012)
Porras, P., Saïdi, H., Yegneswaran, V.: An analysis of the iKee.B iPhone Botnet. In: Schmidt, A.U., Russello, G., Lioy, A., Prasad, N.R., Lian, S. (eds.) MobiSec 2010. LNICST, vol. 47, pp. 141–152. Springer, Heidelberg (2010)
Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: EuroSec, April 2013
Rish, I.: An empirical study of the naive Bayes classifier. In: IJCAI 2001 Workshop on Empirical Methods in Artificial Intelligence, vol. 3, no. 22, pp. 41–46 (2001)
Schmidt, A.D., et al.: Static analysis of executables for collaborative malware detection on android. In: IEEE International Conference on Communications 2009, pp. 1–5 (2009)
Schmidt, A.D., et al.: Monitoring smartphones for anomaly detection. Mob. Netw. Appl. 14(1), 92–106 (2009)
Seo, S.H., Gupta, A., Sallam, A.M., Bertino, E., Yim, K.: Detecting mobile malware threats to homeland security through static analysis. J. Netw. Comput. Appl. 38, 43–53 (2014)
Shabtai, A., Kanonov, U., Elovici, Y.: Detection, alert and response to malicious behavior in mobile devices: knowledge-based approach. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 357–358. Springer, Heidelberg (2009)
Shabtai, A., et al.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Shahar, Y.: A framework for knowledge-based temporal abstraction. Artif. Intell. 90(1), 79–133 (1997)
Spreitzenbarth, M., et al.: Mobile-sandbox: having a deeper look into android applications. In: 28th Annual ACM Symposium on Applied Computing, pp. 1808–1815. ACM (2013)
Strazzere, T.: The new not compatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. https://blog.lookout.com/blog/2014/11/19/notcompatible/. Accessed June 2015
Tanner, G.: Gsam battery monitor. https://play.google.com/store/apps/details?id=com.gsamlabs.bbm&hl=en_GB. Accessed June 2015
Taosoftware: tpacketcapture. https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture. Accessed June 2015
Team, B.R., et al.: Sanddroid: an APK analysis sandbox. Xi’an jiaotong university (2014). http://sanddroid.xjtu.edu.cn/. Accessed June 2015
Vural, I., Venter, H.: Mobile botnet detection using network forensics. In: Berre, A.J., Gómez-Pérez, A., Tutschku, K., Fensel, D. (eds.) FIS 2010. LNCS, vol. 6369, pp. 57–67. Springer, Heidelberg (2010)
Vural, I., Venter, H.S.: Combating mobile spam through botnet detection using artificial immune systems. J. UCS 18(6), 750–774 (2012)
Wireshark: The wireshark network analyzer 1.12.2. https://www.wireshark.org/docs/man-pages/tshark.html. Accessed June 2015
Xiang, C., et al.: Andbot: towards advanced mobile botnets. In: 4th USENIX Conference on Large-Scale Exploits and Emergent Threats. USENIX Association (2011)
Zhou, W., et al.: Fast, scalable detection of “piggybacked” mobile applications. In: 3rd ACM Conference on Data and application security and privacy - CODASPY 2013, p. 185 (2013). http://dl.acm.org/citation.cfm?doid=2435349.2435377
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (SP 2012), pp. 95–109. IEEE (2012)
Zorz, Z.: Android trojan with botnet capabilities found in the wild. http://www.net-security.org/malware_news.php?id=1577. Accessed June 2015
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Meng, X., Spanoudakis, G. (2016). MBotCS: A Mobile Botnet Detection System Based on Machine Learning. In: Lambrinoudakis, C., Gabillon, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2015. Lecture Notes in Computer Science(), vol 9572. Springer, Cham. https://doi.org/10.1007/978-3-319-31811-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-31811-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31810-3
Online ISBN: 978-3-319-31811-0
eBook Packages: Computer ScienceComputer Science (R0)