Downloading and Running
Total Page:16
File Type:pdf, Size:1020Kb
City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text. This dissertation contains less than 65,000 words including appendices, bibliography, footnotes, tables and equations and has less than 150 figures. Xin Meng June 2017 Acknowledgements I would like to express my greatest appreciation to my supervisor Prof. George Spanoudakis. I am always motivated by his full support and his knowledge of the field during the whole period of my doctoral studies. There were times of the research for this thesis when I wondered if I would ever finish it, but his professional support and his personality gave me the strength to keep going further with the research. He is always patient, and his encouragement and advice are valued greatly. My thesis work would not have been accomplished without his help, aspiring advice and expert guidance. I would like to acknowledge my deep appreciation to all the colleagues from School of Mathematics, Computer Science & Engineering, Department of Computer Science. Special thanks go to my parents and my wife for their endless love. Abstract The increase in the use of mobile devices has made them target for attackers, through the use of sophisticated malware. One of the most significant types of such malware is mobile botnets. Due to their continually evolving nature, botnets are difficult to tackle through signature and traditional anomaly based detection methods. Machine learning techniques have also been used for this purpose. However, the study of their effectiveness has shown methodological weaknesses that have prevented the emergence of conclusive and thorough evidence about their merit. To address this problem, in this thesis we propose a mobile botnet detection system, called MBotCS and report the outcomes of a comprehensive experimental study of mobile botnet detection using supervised machine learning techniques to analyse network traffic and system calls on Android mobile devices. The research covers a range of botnet detection scenarios that is wider from what explored so far, explores atomic and box learning algorithms, and investigates thoroughly the sensitivity of the algorithm performance on different factors (algorithms, features of network traffic, system call data aggregation periods, and botnets vs normal applications and so on). These experiments have been evaluated using real mobile device traffic, and system call captured from Android mobile devices, running normal apps and mobile botnets. The experiments study has several superiorities comparing with existing research. Firstly, experiments use not only atomic but also box ML classifiers. Secondly, a comprehensive set of Android mobile botnets, which had not been considered previously, without relying on any form of synthetic training data. Thirdly, experiments contain a wider set of detection scenarios including unknown botnets and normal applications. Finally, experiments include the statistical significance of differences in detection performance measures with respect to different factors. The study resulted in positive evidence about the effectiveness of the supervised learning approach, as a solution to the mobile botnet detection problem. Contents Contents ................................................................................................................................ ix List of Figures ................................................................................................................... xiii List of Tables ....................................................................................................................... xv List of Abbreviations ......................................................................................................... xvii List of Equations ................................................................................................................ xix Chapter 1 Introduction ...................................................................................................... 1 1.1 Research background ............................................................................................... 1 1.2 Motivation ............................................................................................................... 6 1.3 Overview of approach ............................................................................................. 7 1.4 Research hypothesis and objectives ........................................................................ 8 1.5 Contribution ............................................................................................................. 9 1.6 Thesis outline ......................................................................................................... 10 Chapter 2 Literature Review ........................................................................................... 13 2.1 Background of botnet ............................................................................................ 13 2.1.1 Definition ....................................................................................................... 13 2.1.2 Taxonomy ....................................................................................................... 15 2.1.3 Lifecycle of botnet ......................................................................................... 19 2.1.4 Comparison different type of malware ........................................................... 22 2.2 Conventional botnet detection techniques ............................................................. 23 2.2.1 Incidents ......................................................................................................... 23 2.2.2 Botnet creation techniques ............................................................................. 25 2.2.3 Taxonomy of detection techniques ................................................................ 27 2.2.4 Comparison .................................................................................................... 37 2.3 Network traffic anomaly detection technique ....................................................... 43 2.3.1 Introduction of anomaly detection and intrusion detection ............................ 43 2.3.2 Classification of anomaly-based detection technique .................................... 46 2.3.3 The future trend of anomaly detection technique ........................................... 52 2.4 Machine Learning .................................................................................................. 53 2.4.1 Introduction of machine learning algorithm ................................................... 53 2.4.2 Machine learning algorithms .......................................................................... 55 2.4.3 Evaluation criteria for machine learning ........................................................ 73 2.5 Mobile botnet ......................................................................................................... 78 2.5.1 Mobile botnet accidents ................................................................................. 79 2.5.2 Mobile botnet creation ................................................................................... 82 2.5.3 Detection techniques ...................................................................................... 85 2.5.4 ML based botnet detection techniques comparison ....................................... 88 2.5.5 Mobile botnet detection specificity ................................................................ 92 2.5.6 Open issues ..................................................................................................... 95 Chapter 3 The MBotCS Detection System ..................................................................... 97 3.1 Overall framework ................................................................................................