Botnet Detection in Online-social Network

BOTNET
DETECTION
Presented By: Rubal Sagwal
Cyber Security
NIT, Kurukshetra

Motivation
 Botnets signifies one of the most severe cybersecurity threats faced by
everyone today.
 Botnets have been used as the main path in carrying many cybercrimes
reported in the recent news.
 The Internet traffic consisted of up to 80 % of botnets traffic related to
spam e-mails originating from known botnets such as Grum, Cutwail and
Rustock. Currently, a large scale of botnets can be more than one
million PCs, launching cyber attacks.
 The FBI in 2013 reported that 10 international hackers were arrested
for using botnets to steal more than $850 million through a group of
compromised computers; they use the personal financial information of
the people to steal such amount.
 Online social networks (OSNs) are even more vulnerable by social bots.

Table of Content
1. Introduction
2. Types of attack
3. Most wanted bots
4. Life cycle of bots
5. Botnet topologies
6. Social bots
7. Types of social bot attack
8. Defensive technique
9. Conclusion
10. Future work

Background
Introduction – Types of Attacks – Most wanted Bots

INTRODUCTION
 A Botnet is a network of compromised computers called
Zombie Computers or Bots, under the control of a
remote attacker.
 Botnets area large collection of geographically separate
compromised machines that act as proxies to hide the
actual location of the host.
 Botnet is one of the most signiﬁcant threats to the
cybersecurity as they are considered a launching pad for
a number of several illegal activities such as distributed
denial of service (DDoS), click fraud, phishing,
identity theft, spamming and malware distribution.

 A social botnet refers to a group of social bots under
the control of a single bot-master, which work together
to conduct malicious behavior while mimicking (copy)
the interactions among normal OSN users to reduce
their individual risk of being detected.

Types of Attack
 Distributed Denial of Service (DDoS) attacks
 Sending Spams, Viruses, Spyware
 Phishing
 Stealing
 Click Fraud

Most Wanted Bots
 Zeus- Compromised U.S. 3.6 million computers.
 Koobface- Compromised U.S. 2.9 million computers.
 TidServ- Compromised U.S. 1.5 million computers.
 Trojan.Fakeavalert- Compromised U.S. 1.4 million
computers.
 R/Dldr.Agent.JKH- Compromised U.S. 1.2 million
computers

Components of Botnet
Botmaster – C & C Server – Bot-Machine

…
…
…
.
…
…
…
…
…
…
internet
BOT MASTER
C & C SERVER
BOT MACHINE /
ROBOT
VICTIM
MACHINE

Bot-Master
 The bot master is a person who operates the command
and control of botnets for remote process execution.
 It can control the infected machines, send commands
without directly communicating with them.
 Moreover, botnet owners attempt to hide their
communication with the bots to block any deployed
botnet detection processes.
 The attackers or bot masters use the DNS services to
hide their command and control (C&C) IP address to
make the botnet reliable and easy to migrate from
server to another without being noticed.

Bot-Computer
 A Bot-computer is a computer connected to the
Internet that has been compromised by a hacker,
computer virus or Trojan horse and may be used to
perform malicious tasks of one sort or another beneath
remote direction.
 Botnets of bot-computers are often used to spread
spam e-mail and launch denial-of-service attacks.
 A bot is a malicious program that performs various
actions at a cybercriminal’s command.

Command and Control
Server
 A command and control server (C & C) is a server used
by cybercriminals (Bot-Master) to send orders to bots
and to receive reports from them.
 A C & C servers, it is probable that it can be either
controlled by the malware operators directly, or
themselves run on hardware compromised by malware.

Botnet Life Cycle
Victim MachineBot
Computer
C & C
Server
Bot Master

Botnet Topologies
1. STAR TOPOLOGY 2. HIERARCHICAL TOPOLOGY 3. P2P TOPOLOGY

Social Botnet
 A Social botnet refers to a group of social bots under
the control of a single bot-master, which work together
to conduct malicious behavior while mimicking (copy)
the interactions among normal OSN users to reduce
their individual risk of being detected.
 For example, social bots on Twitter can follow others
and retweet/answer others’ tweets. Since a skewed
following/followers (FF) ratio is a typical feature for
social bots on Twitter, maintaining a balanced FF ratio
in the social botnet.
 Creating a social botnet is also fairly easy due to the
open APIs published by OSN providers.

Security Threats
 A social-bot can pollute the targeted OSN with a large number
of non-genuine social relationships.
 Second, once a socialbot infiltrates a targeted OSN, it can
exploit its new position in the network to spread
misinformation in an attempt to bias the public opinion . For
eg. : koobface botnet.
 It can also harvest private user data such as email addresses,
phone numbers, and other personally identifiable information
that have monetary value.

OSN Vulnerabilities
INEFFECTIVE
CAPTCHA
SYBIL
ACCOUNTS AND
FAKE PROFILES
EXPLOITABLE
PLATFORMS
AND APIs

Bot Master
C & C channel
C & C Server
Online Social
Network
Social Bots
The Social-
bot
Network[4]

Social-Bot
 A social-bot is a type of bot that controls a social
media account. Like all bots, a social-bot is automated
software. The exact way a social-bot replicates
depends on the social network, but unlike a regular bot,
a social-bot spreads by convincing other users that the
social-bot is a real person.
 A social-bot is also known as social networking bot, or
social bot.

 A socialbot consists of two main components:
> A profile on a targeted OSN (the face), and
> The socialbot software (the brain)
 we require the socialbot to support two types of generic
operations in any given OSN:
(1) social-interaction operations that are used to read
and write social content.
(2) social-structure operations that are used to alter the
social graph.

Types of Social Bitnet Attack
1. Hashtag hijacking
2. Trend-jacking/watering hole
3. Spray and pray
4. Retweet storm
5. Click/Like Farming

Why OSN?
 A social-bot can pollute the targeted OSN with a large
number of non-genuine social relationships.
 Second, once a social-bot infiltrates a targeted OSN, it
can exploit its new position in the network to spread
misinformation in an attempt to bias the public opinion
. For eg. : koobface botnet.
 It can also harvest private user data such as email
addresses, phone numbers, and other personally
identifiable information that have monetary value.
 They allow to share user-generated contents in a fast
and simple way (e.g., there is no need for additional
hosting or authoring tools).

 They support user-to-user real-time interaction, as well
as asynchronous conversations through messages and
comments.
 Web development techniques, such as the Asynchronous
Java script and XML (AJAX) method, permit many OSNs
to be very interactive even providing provision to real-
time features.
 Many OSNs can be accessed via ad-hoc client-interfaces
speciﬁcally made for tablets, handheld devices and
gaming consoles, making the service everywhere
available.
 As a consequence of a solid mobility support, OSNs also
oﬀer localization services.
 Unintentional disclosure of personal information.

 Mobile devices are widely use to accessed OSNs from,
e.g., via IEEE 802.11 air interfaces. Then, due the
utilization of weak security settings to exchange data
there are additional risks (e.g., the usage of HTTP
instead of the Secure Hyper Text Transfer Protocol),
 Third-party Web applications can access to user proﬁles,
turning the OSN into an eﬀective attack platform,
 Therefore, the investigation of privacy and security
aspects of OSNs is a mandatory action to guarantee
their safe and successful utilization.

Are Social Bots Common?
 Bots are actually more common than you might think.

Botnet Detection Technique
1. ANALYSIS BASED TECHNIQUE[6]
USER’S WALL
POST
DRAGGED
USER’S WALL
POST
FILTER USER’S
POST WITHOUT
URL
CLUSTER USERS
BASED ON URL
AND PSOT
IDENTIFY
MALICIOUS
USER
ANALYZE USER
SOCIAL BOT
WITH FAST FLUX
NETWORK

2. SUPERVISED LEARNING[3]
 Most existing work on detecting misbehaving identities
in social networks leverage supervised learning
techniques.
 It deploys honey pots in OSNs to attract spam, trains a
machine learning (ML) classifier over the captured
spam, and then detects new spam using the classifier.
 It creates statistical behavioral profiles for Twitter
users, trains a statistical model with a small manually
labeled dataset of both benign and misbehaving users,
and then uses it to detect compromised identities in
Twitter.

 While working with large crowdsourcing systems,
supervised learning approaches have inherent
limitations. Specifically they are attack-specific and
vulnerable to adaptive attacker strategies. Given the
adaptability of the attacker strategies, to maintain
efficacy.
 supervised learning approaches require labeling,
training, and classification to be done periodically.

3. DEFENSE AGAINST BOTNET-BASED SPAM DISTRIBUTION[3]
 To defend against this attack, they propose to track each
user’s history of participating in spam distribution and
suspend a user if his accumulated suspicious behaviors
exceed some threshold.
 Speciﬁcally, for each user v we maintain a spam score sv,
which is updated every time user v retweets a spam. Once
sv exceeds a predeﬁned threshold, user v is labeled as a
spammer and suspended.
 Closer the user to the spam source, the more likely he is a
member of the social botnet. The reason is that social
botnet usually prefers shorter retweeting path for fast
spam dissemination.
 Once a user’s spam score exceeds certain predetermined
threshold, the user is suspended.

Open Issues
 There are no methods which can accurately estimate
the size of botnet.
 Researchers are having access to very small amount of
data for their work for which they have to sign an
agreement for using that data separately for each
domain.
 The use of many detection approaches like Honeypots
is also restricted because of conflicts between IT laws
for data protection and securing IT services from any
illegal intrusion.
 As researchers managed to get very small amount of
real data traces which make it very challenging to verify
their work for large data set

Related Work
 The social botnet has acknowledged attention
only recently. Some works showed that a social
botnet is very in effective in joining to many
random or under attack Facebook users (i.e.,
large-scale inﬁltration).
 The work in some paper shows how the
spammers become cleverer to insert themselves
into OSN. There is a rich collected works on
spam detection in OSNs.
 Some line of work think through independent
spam bots and comes up with dissimilar
methods to characterize and identify them.

 Some work emphases on describing and identifying
planned spam campaigns launched by an army of spam
bots. Moreover, spam bots are growing towards more
intelligence.

Conclusion and Future Work
 Botnets have played an important role as a major security threats
on the Internet. It is estimated that over 80% of spam messages
originate from these overlay networks.
 The first necessary step towards combating botnet threats is
developing efficient detection techniques.
 From a computer security perspective, the concept of
social bots is both interesting and disturbing: the threat is
no longer from a human controlling or monitoring a
computer, but from exactly the opposite.
 As the future work, we will ﬁrst extend our studies to OSNs
such as Facebook and Google+ and twitter.
 We will also investigate other attacks that can be enabled
or facilitated by the social botnet so as to raise the
attentiveness of OSN users and also help OSNs improve
their acting up behavior detection systems.

Contd…
 In addition, we plan to explore three lines of
countermeasures against our attacks
 The ﬁrst line is inspired by the observation that the
amount of communications from a legitimate OSN user
to a social bot is usually far less than that in the
opposite direction.
 Another thinkable defense is to detect malicious
applications registered by the bot-master at OSNs.
 In actual, a large-scale social botnet often involves
allocating the access privileges of individual bots to the
applications the bot-master develops based on the
OSN’s open APIs and registers with the OSN.
These observations can help design effective and efﬁcient
algorithms for OSNs to identify malicious botnet applications.

REFERENCES
1. Sergio S.C. Silva, Rodrigo M.P. Silna, Raqel C.G. Pinto, Ronaldo M. Salles, “Botnet: A Survey” Computer Networks, Volume 57, Issue 2, 4 February 2013, Pages 178-403
2. Alieyan, Kamal, Ammar ALmomani, Ahmad Manasrah, and Mohammed M. Kadhum. "A survey of botnet detection based on DNS." Neural Computing and
Applications (2015), Pages 1-18.
3. Caviglione, Luca, Mauro Coccoli, and Alessio Merlo. "A taxonomy-based model of security and privacy in online social networks." International Journal of
Computational Science and Engineering 9, no. 4 (2014): 325-338.
4. Zhang, Jinxue, et al. "The rise of social botnets: Attacks and countermeasures." IEEE Transactions on Dependable and Secure Computing (2016).
5. Boshmaf, Yazan, Ildar Muslukhov, Konstantin Beznosov, and Matei Ripeanu. "The socialbot network: when bots socialize for fame and money." In Proceedings of
the 27th annual computer security applications conference, pp. 93-102. ACM, 2011.
6. Tyagi, Amit Kumar, and G. Aghila. "Detection of fast flux network based social bot using analysis based techniques." Data Science & Engineering (ICDSE), 2012
International Conference on. IEEE, (2012), pp 23-26
7. Boshmaf, Yazan, et al. "Design and analysis of a social botnet." Computer Networks 57.2 (2013), Pages 556-578.
8. Do-evil-the-business-of-social-media-bots. http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/#34bae4351104
9. The-rise-of-social-media-botnets. http://www.darkreading.com/attacks-breaches/the-rise-of-social-media-botnets/a/d-id/1321177
10. kaspersky-ddos-intelligence-report-for-q3-2016. https://securelist.com/analysis/quarterly-malware-reports/76464/kaspersky-ddos-intelligence-report-for-q3-
2016/
11. botnet-statistics-2017-02-05. http://botnet-tracker.blogspot.in/2017/02/botnet-statistics-2017-02-05.html
12. Socialbot. http://whatis.techtarget.com/definition/socialbot

Botnet Detection in Online-social Network

More Related Content

What's hot (20)

Similar to Botnet Detection in Online-social Network (20)

More from Rubal Sagwal (20)

Recently uploaded (20)

Botnet Detection in Online-social Network