Biblio

Botnet on a mobile platform is one of the severe problems for the Internet security. It causes damages to both individual users and the economic system. Botnet detection is required to stop these damages. However, botmasters keep developing their botnets. Peer-to-peer (P2P) connection and encryption are used in the botnet communication to avoid the exposure and takedown. To tackle this problem, we propose the P2P mobile botnet detection by using communication patterns. A graph representation called "graphlet" is used to capture the natural communication patterns of a P2P mobile botnet. The graphlet-based detection does not violate the user privacy, and also effective with encrypted traffic. Furthermore, a machine learning technique with graphlet-based features can detect the P2P mobile botnet even it runs simultaneously with other applications such as Facebook, Line, Skype, YouTube, and Web. Moreover, we employ the Principal Components Analysis (PCA) to analyze graphlet's features to leverage the detection performance when the botnet coexists with dense traffic such as Web traffic. Our work focuses on the real traffic of an advanced P2P mobile botnet named "NotCompatible.C". The detection performance shows high F-measure scores of 0.93, even when sampling only 10% of traffic in a 3-minute duration.

Web security is a big concern in the current Internet; users may visit websites that automatically download malicious codes for leaking user's privacy information, or even mildly their web browser may help for someone's cryptomining. In this paper, we analyze abusive web resources (i.e. malicious resources and cryptomining) crawled from the Alexa Top 150,000 sites. We highlight the abusive web resources on Alexa ranking, TLD usage, website geolocation, and domain lifetime. Our results show that abusive resources are spread in the Alexa ranking, websites particularly generic Top Level Domain (TLD) and their recently registered domains. In addition, websites with malicious resources are mainly located in China while cryptomining is located in USA. We further evaluate possible counter-measures against abusive web resources. We observe that ad or privacy block lists are ineffective to block against malicious resources while coin-blocking lists are powerful enough to mitigate in-browser cryptomining. Our observations shed light on a little studied, yet important, aspect of abusive resources, and can help increase user awareness about the malicious resources and drive-by mining on web browsers.

Botnets are accountable for numerous cybersecurity threats. A lot of efforts have been dedicated to botnet intelligence, but botnets versatility and rapid adaptation make them particularly difficult to outwit. Prompt countermeasures require effective tools to monitor the evolution of botnets. Therefore, in this paper we analyze 5 months of traffic from different botnet families, and propose an unsupervised clustering technique to identify the different roles assigned to C&C servers. This technique allows us to classify servers with similar behavior and effectively identify bots contacting several servers. We also present a temporal analysis method that uncovers synchronously activated servers. Our results characterize 6 C&C server roles that are common to various botnet families. In the monitored traffic we found that servers are usually involved in a specific role, and we observed a significant number of C&C servers scanning the Internet.