SocialClymene: A negative reputation system for covert botnet detection in social networks

Online social networks, or simply social networks, are one of the most popular services on the Internet, providing a platform for users to interact, communicate, and collaborate with others. With this in mind, they have been able to attract millions of active users. However, they are being increasingly threatened by so-called covert social network botnets, a new generation of botnets that exploit social networks to establish covert command and control channels. Stego-botnets are typical covert social network botnets that use images shared on a social network to send the botmaster's commands and receive the information stolen from infected users. In this paper, we present SocialClymene, a PageRank-based negative reputation system to detect stego-botnets. At the heart of SocialClymene lies a negative reputation subsystem that analyzes images shared by social network users and calculates a negative reputation score for every user based on the user's history of participation in suspicious group activities. More precisely, the negative reputation score of every user is calculated by the sum of its incoming normalized suspicious values weighted by the negative reputation scores of its neighbors in a suspicious group activity graph. Our experimental results have shown that SocialClymene can efficiently detect stego-botnets with a high detection rate and an acceptable low false alarm rate.

[1]  Ross J. Anderson,et al.  The snooping dragon: social-malware surveillance of the Tibetan movement , 2009 .

[2]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[3]  Michael S. Bernstein,et al.  Quantifying the invisible audience in social networks , 2013, CHI.

[4]  Nikita Borisov,et al.  Stegobot: A Covert Social Network Botnet , 2011, Information Hiding.

[5]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[6]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[7]  Jordi Sabater-Mir,et al.  REGRET: reputation in gregarious societies , 2001, AGENTS '01.

[8]  Jie Gao,et al.  Predicting group stability in online social networks , 2013, WWW.

[9]  Aleksandra Mileva,et al.  Covert Channels in TCP/IP Protocol Stack , 2013 .

[10]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[11]  V. Natarajan,et al.  Detection of StegoBot: a covert social network botnet , 2012, SecurIT '12.

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  Sotiris Ioannidis,et al.  Antisocial Networks: Turning a Social Network into a Botnet , 2008, ISC.

[14]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[15]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[16]  Sonia Heemstra de Groot,et al.  Reputation-Based Systems within Computer Networks , 2010, 2010 Fifth International Conference on Internet and Web Applications and Services.

[17]  Qingzhong Liu,et al.  Steganalysis of DCT-embedding based adaptive steganography and YASS , 2011, MM&Sec '11.

[18]  Reza Sharifnya,et al.  A novel reputation system to detect DGA-based botnets , 2013, ICCKE 2013.

[19]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.