Biblio
Botnet on a mobile platform is one of the severe problems for the Internet security. It causes damages to both individual users and the economic system. Botnet detection is required to stop these damages. However, botmasters keep developing their botnets. Peer-to-peer (P2P) connection and encryption are used in the botnet communication to avoid the exposure and takedown. To tackle this problem, we propose the P2P mobile botnet detection by using communication patterns. A graph representation called "graphlet" is used to capture the natural communication patterns of a P2P mobile botnet. The graphlet-based detection does not violate the user privacy, and also effective with encrypted traffic. Furthermore, a machine learning technique with graphlet-based features can detect the P2P mobile botnet even it runs simultaneously with other applications such as Facebook, Line, Skype, YouTube, and Web. Moreover, we employ the Principal Components Analysis (PCA) to analyze graphlet's features to leverage the detection performance when the botnet coexists with dense traffic such as Web traffic. Our work focuses on the real traffic of an advanced P2P mobile botnet named "NotCompatible.C". The detection performance shows high F-measure scores of 0.93, even when sampling only 10% of traffic in a 3-minute duration.
Botnets are accountable for numerous cybersecurity threats. A lot of efforts have been dedicated to botnet intelligence, but botnets versatility and rapid adaptation make them particularly difficult to outwit. Prompt countermeasures require effective tools to monitor the evolution of botnets. Therefore, in this paper we analyze 5 months of traffic from different botnet families, and propose an unsupervised clustering technique to identify the different roles assigned to C&C servers. This technique allows us to classify servers with similar behavior and effectively identify bots contacting several servers. We also present a temporal analysis method that uncovers synchronously activated servers. Our results characterize 6 C&C server roles that are common to various botnet families. In the monitored traffic we found that servers are usually involved in a specific role, and we observed a significant number of C&C servers scanning the Internet.