Spotting the bot on the move

Researchers from Brazil and Portugal are developing the tools to detect malicious networks, botnets, on mobile phones based on machine learning. They provide details in the International Journal of Security and Networks.

A botnet is defined as an ad hoc network of Internet-connected devices control of which is usually taken for malicious purposes. Often a botnet controller will use the network to carry out a distributed denial-of-service attack (DDoS attack) on another system, which might allow them to then gain access to the upper echelons or a corporate network, government computers, or other important data stores. They can use a botnet to steal data from organizations or individuals send spam and carry out phishing attacks to compromise many users’ email accounts, bank websites, and more.

Mobile internet devices, such as smartphones and tablet computers, are now almost ubiquitous, and so have become common targets for those who wish to exploit the vulnerabilities of such devices for criminal or malicious intent through the surreptitious recruitment of those devices into a botnet. Staying ahead of the malware so that devices are protected from attack and being taken over requires sophisticated defence technology.

The Brazilian team has found that it can achieve a high performance of some 84% in detecting botnet activity based on the similarity of “system calls” from different pieces of malware that would otherwise exploit a mobile device. The machine learning requires it to examine only 19 features of putative botnet characteristics, which makes it much faster than the prototype algorithm which needed 133 parameters. This means that the presence of a botnet can be detected within a second and so be blocked very quickly by associated protective software on the device before any real damage is done.

Turrisi da Costa, V.G., Barbon Jr., S., Miani, R.S., Rodrigues, J.J.P.C. and Zarpelão, B.B. (2019) ‘Mobile botnets detection based on machine learning over system calls‘, Int. J. Security and Networks, Vol. 14, No. 2, pp.103-118.