Towards social botnet behavior detecting in the end host

Social botnet utilizing online social network (OSN) as Command and Control channel (C&C) has caused enormous threats to Internet security. Server-side detection approaches mainly target on suspicious accounts, which cannot identify the specific bot hosts or processes. Host-side approaches target on suspicious process behaviors which are not robust enough to face the challenges of frequent variants and novel social bots. In this paper, we propose a novel social bot behavior detecting approach in the end host. Because social bot binaries or source codes are not easy to collect, we first design a novel social botnet, named wbbot, based on Sina Weibo. We analyze it from two aspects, wbbot architecture and wbbot behaviors. Second, we analyze the host behaviors of existing social botnets which come from public websites, other researchers, and our implementations. We identify six critical phases: infection, pre-defined host behaviors, establishment of C&C, receive the commands of botmaster, execution of social bot commands, and return the results. Third, we present our detection system which consists of three components: host behavior monitor, host behavior analyzer, and detection approach. We present behavior tree-based approach to detect social bot. After constructing the suspicious behavior tree, we match it with the template library to generate detection result. Finally, we collect real-world social botnet traces to evaluate the performance. We would like to share them for academic research. The results indicate that our system has an acceptable false positive rate of 29.6% and remarkable false negative rate of 4.5%. However, compared with other detection tools, our detection result is still remarkable.

[1]  Guofei Gu,et al.  NEIGHBORWATCHER: A Content-Agnostic Comment Spam Inference System , 2013, NDSS.

[2]  Nikolaus Augsten,et al.  RTED: A Robust Algorithm for the Tree Edit Distance , 2011, Proc. VLDB Endow..

[3]  Qiang Li,et al.  A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches , 2014, ISPEC.

[4]  Paulo Salvador,et al.  Detecting Social-Network Bots Based on Multiscale Behavioral Analysis , 2013, SECURWARE 2013.

[5]  Sushil Jajodia,et al.  Detecting Automation of Twitter Accounts: Are You a Human, Bot, or Cyborg? , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  Henk J. Sips,et al.  Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows , 2013, CSS.

[7]  V. Natarajan,et al.  Detection of StegoBot: a covert social network botnet , 2012, SecurIT '12.

[8]  Markus Kammerstetter,et al.  Vanity, cracks and malware: insights into the anti-copy protection ecosystem , 2012, CCS '12.

[9]  Erdong Chen,et al.  Facebook immune system , 2011, SNS '11.

[10]  Henk J. Sips,et al.  Towards Detection of Botnet Communication through Social Media by Monitoring User Activity , 2011, ICISS.

[11]  Kang G. Shin,et al.  On detection of current and next-generation botnets , 2012 .

[12]  Songqing Chen,et al.  Spammer Behavior Analysis and Detection in User Generated Content on Social Networks , 2012, 2012 IEEE 32nd International Conference on Distributed Computing Systems.

[13]  Xiao Wang,et al.  VoteTrust: Leveraging friend invitation graph to defend against social network Sybils , 2013, 2013 Proceedings IEEE INFOCOM.

[14]  Xiao Wang,et al.  VoteTrust: Leveraging Friend Invitation Graph to Defend against Social Network Sybils , 2016, IEEE Transactions on Dependable and Secure Computing.

[15]  Nikita Borisov,et al.  Stegobot: A Covert Social Network Botnet , 2011, Information Hiding.

[16]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[17]  Erik D. Demaine,et al.  An Optimal Decomposition Algorithm for Tree Edit Distance , 2007, ICALP.

[18]  Konstantin Beznosov,et al.  Design and analysis of a social botnet , 2013, Comput. Networks.

[19]  Mark Stamp,et al.  Social Networking for Botnet Command and Control , 2013 .

[20]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.