Abstract
A new generation of botnets abuses popular social media like Twitter, Facebook, and Youtube as Command and Control channel. This challenges the detection of Command and Control traffic, because traditional IDS approaches, based on statistical flow anomalies, protocol anomalies, payload signatures, and server blacklists, do not work in this case. In this paper we introduce a new detection mechanism that measures the causal relationship between network traffic and human activity, like mouse clicks or keyboard strokes. Communication with social media that is not assignably caused by human activity, is classified as anomalous. We explore both theoretically and experimentally this detection mechanism by a case study, with Twitter.com as a Command and Control channel, and demonstrate successful real time detection of botnet Command and Control traffic.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ahn, L.V., Blum, M., Hopper, N., Langford, J.: Captcha: Using Hard Ai Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: Proc. of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet SRUTI 2005. USENIX Association, Cambridge (2005)
Davis, C.R., Fernandez, J.M., Neville, S., McHugh, J.: Sybil attacks as a mitigation strategy against the storm botnet. In: Proc. of the 3rd International Conference on Malicious and Unwanted Software MALWARE 2008. IEEE, Alexandria (2008)
Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papagiannaki, D.: Exploiting Temporal Persistence to Detect Covert Botnet Channels. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 326–345. Springer, Heidelberg (2009)
Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proc. of the first USENIX Workshop on Hot Topics in Understanding Botnets HOTBOTS 2007. USENIX Association (2007)
Gorman, G.O.: Google groups trojan (2009) http://www.symantec.com/connect/blogs/google-groups-trojan (visited January 2011)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proc. of the 17th USENIX Security Symposium SECURITY 2008. USENIX Association, Berkeley (2008)
Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-bot: Improving service availability in the face of botnet attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation NSDI 2009. USENIX Association, Berkeley (2009)
Holz, T., Gorecki, C., Rieck, K., Freiling, C.: Measuring and detecting fast-flux service networks. In: Proc. of Symposium on Network and Distributed System Security NDSS 2008. The Internet Society (2008)
Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 511–528. Springer, Heidelberg (2010)
Lelli, A.: Trojan.whitewell: What’s your (bot) facebook status today? (2009), http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today (visited December 2010)
Mol, J.J.D., Pouwelse, J.A., Epema, D.H.J., Sips, H.J.: Free-riding, fairness, and firewalls in p2p file-sharing. In: Proc. of the Eighth International Conference on Peer-to-Peer Computing P2P 2008. IEEE (2008)
Nazario, J.: Twitter-based botnet command channel (August 2009), http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/ (visited October 2010)
Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: Proc. of the 3rd International Conference on Malicious and Unwanted Software MALWARE 2008. IEEE, Alexandria (2008)
Porras, P., Saidi, H., Yegneswaran, V.: A foray into conficker’s logic and rendezvous points. In: Proc. of the Second USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, and More LEET 2008. USENIX Association, Boston (2009)
Provos, N.: A virtual honeypot framework. In: Proc. of the 13th Conference on the USENIX Security Symposium SSYM 2004. USENIX Association, San Diego (2004)
Schiller, C., Binkley, J.: Botnets: The Killer Web Applications, 1st edn. Syngress Publishing, Rockland MA (2007)
Stinson, E., Mitchell, J.: Towards systematic evaluation of the evadability of bot/botnet detection methods. In: Proc. of the 2nd Conference on USENIX Workshop on Offensive Technologies WOOT 2008. USENIX Association, Berkeley (2008)
Taylor, K.: An Analysis of Computer Use across 95 Organisations in Europe, North America and Australasia. Tech. rep., Wellnomics (2007)
Vo, N.H., Pieprzyk, J.: Protecting web 2.0 services from botnet exploitations. In: Proc. of the 2nd Workshop on Cybercrime and Trustworthy Computing CTC 2010. IEEE, Washington, DC (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Burghouwt, P., Spruit, M., Sips, H. (2011). Towards Detection of Botnet Communication through Social Media by Monitoring User Activity. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2011. Lecture Notes in Computer Science, vol 7093. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25560-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-25560-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25559-5
Online ISBN: 978-3-642-25560-1
eBook Packages: Computer ScienceComputer Science (R0)