Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Comparison of HMM and SVM schemes in detecting mobile Botnet

모바일 봇넷 탐지를 위한 HMM과 SVM 기법의 비교

  • Choi, Byungha (Research Institute of Information and Communication Convergence Technology) ;
  • Cho, Kyungsan (Dept. of Software Science, Dankook University)
  • 최병하 (단국대학교 정보통신융합기술연구원) ;
  • 조경산 (단국대학교 소프트웨어학과)
  • Received : 2013.12.05
  • Accepted : 2014.03.02
  • Published : 2014.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

As mobile devices have become widely used and developed, PC based malwares can be moving towards mobile-based units. In particular, mobile Botnet reuses powerful malicious behavior of PC-based Botnet or add new malicious techniques. Different from existing PC-based Botnet detection schemes, mobile Botnet detection schemes are generally host-based. It is because mobile Botnet has various attack vectors and it is difficult to inspect all the attack vector at the same time. In this paper, to overcome limitations of host-based scheme, we compare two network-based schemes which detect mobile Botnet by applying HMM and SVM techniques. Through the verification analysis under real Botnet attacks, we present detection rates and detection properties of two schemes.

스마트폰 같은 모바일 장치의 대중적 보급과 발전으로 인해 PC 기반의 악성코드가 모바일 기반으로 빠르게 이동하고 있다. 특히 봇넷은 PC에서의 강력한 악성행위와 피해를 모바일 장치에서 재생산하며 새로운 기법을 추가하고 있다. 기존 PC 기반의 봇넷과 달리 모바일 봇넷은 동시에 다양한 공격 경로의 탐지가 어려워 네트워크 기반보다는 호스트 기반의 탐지 기법이 주를 이루고 있다. 본 논문에서는 호스트 기반 기법의 한계를 극복하기 위하여 네트워크 기반으로 모바일 봇넷을 탐지하는 HMM과 SVM을 적용한 2 가지 기법을 비교한다. 기계학습에 많이 사용되는 시계열 데이터와 단위시간 데이터를 추출하여 두 기법에 적용하여, 실제 봇넷이 설치된 환경의 트래픽 검증 분석을 통해 이들 데이터에 따른 두 기법의 탐지율과 탐지 특성을 제시한다.

Keywords

References

  1. Byungha Choi, Kyungsan Cho, "An Improved Detecting Scheme of Malicious Codes using HTTP Outbound Traffic," Journal of the Korea society of computer and information vo.14 no.9 pp.47-54, SEP. 2009.
  2. ByungHa Choi, Sung-kyo Choi, Kyungsan Cho, "Detection of Mobile Botnet Using VPN," Procs. of The Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2013), pages 142-148, 2013.
  3. G. Delac, M. Silic and J. Krolo, "Emerging security threats for mobile platforms," Procs. of the 34th International Convention, MIPRO 2011, pp. 1468- 1473, 23-27 May. 2011.
  4. AK. Tyagi, G. Aghila "A Wide Scale Survey on Botnet," Procs. of International Journal of Computer Applications, Vol. 34, No.9, pp. 10-23, Nov. 2011.
  5. Byungha Choi, Kyungsan Cho, "Two-Step Hierarchical Scheme for Detecting Detoured Attacks to the Web Server," ComSIS, vol 10, no 2, 633-649, 2013. https://doi.org/10.2298/CSIS120908026C
  6. Gu, Guofei, et al. "BotMiner: Clustering analysis of network traffic for protocol-andstructure-independent botnet detection," Procs. of the 17th conference on Security symposium. 2008.
  7. NQ Mobile, NQ Mobile 2011 Mobile Security Report, 2012.
  8. Iker Burguera, Urko Zurutuza, Simin Nadjm-Tehrani, "Crowdroid: behavior-based malware detection system for android," Procs. of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, pp. 15-26, 2011.
  9. L. Xie, X. Zhang, J. P. Seifert, S. Zhu, "pBMDS: a behavior-based malware detection system for cellphone devices," Procs. of the third ACM conference on Wireless network security. ACM. pp. 37-48, 2010.
  10. A. Bose, X. Hu, K. G. Shin, T. Park, "Behavioral detection of malware on mobile handsets," In Procs. of the 6th international conference on Mobile systems, applications, and services. ACM. pp. 225-238, 2008.
  11. Portokalidis, Georgios, et al. "Paranoid Android: versatile protection for smartphones," Procs. of the 26th Annual Computer Security Applications Conference. ACM, 2010.
  12. Falletta, Vincenzo, and Fabio Ricciato. "Detecting scanners: empirical assessment on a 3G network," International Journal of Network Security vol. 9, no. 2, pp.143-155, 2009.
  13. Vural, Ickin, and Hein S. Venter. "Combating Mobile Spam through Botnet Detection using Artificial Immune Systems," Journal of Universal Computer Science 18.6 pp. 750-774. 2012.
  14. Edson J.R. Justino, Flavio Bortolozzi, Robert Sabourin, "A comparison of SVM and HMM classifiers in the off-line signature verification," Pattern Recognition Letters, vol 26, Issue 9, pp. 1377-1385, 2005. https://doi.org/10.1016/j.patrec.2004.11.015
  15. Yi-Lin Lin, Gang Wei, "Speech emotion recognition based on HMM and SVM," Machine Learning and Cybernetics, 2005. Procs of 2005 International Conference on, vol. 8, pp. 18-21, 2005.
  16. Miao, Qiang, Hong-Zhong Huang, and Xianfeng Fan. "A comparison study of support vector machines and hidden Markov models in machinery condition monitoring," Journal of Mechanical Science and Technology, pp. 607-615, 2007
  17. Wireshark, http://wireshark.com/
  18. B-H. Juang, Lawrence R. Rabiner. "The segmental K-means algorithm for estimating parameters of hidden Markov models," Procs. of Acoustics, Speech and Signal Processing, IEEE Transactions on 38.9, pp. 1639-1641, 1990. https://doi.org/10.1109/29.60082

Cited by

  1. 준지도 지지 벡터 회귀 모델을 이용한 반응 모델링 vol.19, pp.9, 2014, https://doi.org/10.9708/jksci.2014.19.9.125