Biblio

Over the past few years, botnets have emerged as one of the most serious cybersecurity threats faced by individuals and organizations. After infecting millions of servers and workstations worldwide, botmasters have started to develop botnets for mobile devices. Mobile botnets use different mediums to communicate with their botmasters. Although significant research has been done to detect mobile botnets that use the Internet as their command and control (C&C) channel, little research has investigated SMS botnets per se. In order to fill this gap, in this paper, we first divide SMS botnets based on their characteristics into three families, namely, info stealer, SMS stealer, and SMS spammer. Then, we propose SMSBotHunter, a novel anomaly detection technique that detects SMS botnets using textual and behavioral features and one-class classification. We experimentally evaluate the detection performance of SMSBotHunter by simulating the behavior of human users and SMS botnets. The experimental results demonstrate that most of the SMS messages sent or received by info stealer and SMS spammer botnets can be detected using textual features exclusively. It is also revealed that behavioral features are crucial for the detection of SMS stealer botnets and will improve the overall detection performance.

A botnet in mobile networks is a collection of compromised nodes due to mobile malware, which are able to perform coordinated attacks. Different from Internet botnets, mobile botnets do not need to propagate using centralized infrastructures, but can keep compromising vulnerable nodes in close proximity and evolving organically via data forwarding. Such a distributed mechanism relies heavily on node mobility as well as wireless links, therefore breaks down the underlying premise in existing epidemic modeling for Internet botnets. In this paper, we adopt a stochastic approach to study the evolution and impact of mobile botnets. We find that node mobility can be a trigger to botnet propagation storms: the average size (i.e., number of compromised nodes) of a botnet increases quadratically over time if the mobility range that each node can reach exceeds a threshold; otherwise, the botnet can only contaminate a limited number of nodes with average size always bounded above. This also reveals that mobile botnets can propagate at the fastest rate of quadratic growth in size, which is substantially slower than the exponential growth of Internet botnets. To measure the denial-of-service impact of a mobile botnet, we define a new metric, called last chipper time, which is the last time that service requests, even partially, can still be processed on time as the botnet keeps propagating and launching attacks. The last chipper time is identified to decrease at most on the order of 1/√B, where B is the network bandwidth. This result reveals that although increasing network bandwidth can help with mobile services; at the same time, it can indeed escalate the risk for services being disrupted by mobile botnets.