Host Based Detection of Advanced MiniDuke Style Bots in Smartphones through User Profiling

One of the latest trends of realizing innovative Command and Control (C&C) channels involves leveraging Online Social Networks (OSNs) as a C&C channel. The number of botnets targeting the smartphones and the sophistication of those botnets have progressively increased. Due to their mobility, smartphones connect to a variety of networks which makes it harder for network centric detection of botnets in smartphones. This paper approaches the problem of detecting bot traffic from a host based detection perspective. In this paper, we first propose an innovative C&C that leverages "public information" in OSNs combined with a Username Generation Algorithm. We then propose a new system to detect the bots that leverage the above mentioned type of C&C channel. Our insight is that the user generated web traffic on the smartphones will be significantly different from the requests made by the bots that leverage OSNs as C&C channel. Our approach involves building a profile of the smartphone user based on his web usage and then comparing that profile to subsequent usage to detect anomalous behavior. The Preprocessing phase clusters the web usage based on domains and extracts relevant features. In the next step, we use classification algorithm to build the user profile and assign a score of mismatch to the domains compared to the user behavior. If the score crosses a threshold, then the traffic to that domain is perceived to be different from normal user traffic to that domain and the user will be notified. Based on his response, the model will be updated to incorporate the change into it. We implemented a prototype bot and detection system and evaluated it on real-world user traffic. Our system reports an accuracy of 76%, with false positive rate of less than 1%.