Stegobot: a covert social network botnet

Shishir Nagaraja, Amir Houmansadr, Pratch Piyawongwisal, Vijit Singh, Pragya Agarwal, Nikita Borisov

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

39 Citations (Scopus)

Abstract

We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay - bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful - capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.

LanguageEnglish
Title of host publicationInformation Hiding - 13th International Conference, IH 2011, Revised Selected Papers
EditorsT. Filler , T. Pevný , S. Craver , A. Ker
Place of PublicationBerlin
PublisherSpringer
Pages299-313
Number of pages15
Volume6958
ISBN (Print)9783642241772
DOIs
Publication statusPublished - 26 Sep 2011
Event13th International Conference on Information Hiding, IH 2011 - Prague, Czech Republic
Duration: 18 May 201120 May 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6958 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference13th International Conference on Information Hiding, IH 2011
CountryCzech Republic
CityPrague
Period18/05/1120/05/11

Fingerprint

Social Networks
Communication
Sharing
Steganography
Malware
Overlay networks
Flooding
User Interaction
Communication Channels
Overlay
Routing
Throughput
Attack
Traffic
Botnet
Model

Keywords

  • social network
  • online social network
  • image steganography
  • stego image
  • covert channel
  • behavioral research
  • communication
  • network routing
  • computer aided network analysis

Cite this

Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., & Borisov, N. (2011). Stegobot: a covert social network botnet. In T. Filler , T. Pevný , S. Craver , & A. Ker (Eds.), Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers (Vol. 6958 , pp. 299-313). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6958 LNCS). Berlin: Springer. https://doi.org/10.1007/978-3-642-24178-9_21
Nagaraja, Shishir ; Houmansadr, Amir ; Piyawongwisal, Pratch ; Singh, Vijit ; Agarwal, Pragya ; Borisov, Nikita. / Stegobot : a covert social network botnet. Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers. editor / T. Filler ; T. Pevný ; S. Craver ; A. Ker . Vol. 6958 Berlin : Springer, 2011. pp. 299-313 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{788f7b1fb2104d46bc122c3d70423c94,
title = "Stegobot: a covert social network botnet",
abstract = "We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay - bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful - capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.",
keywords = "social network, online social network, image steganography, stego image, covert channel, behavioral research, communication, network routing, computer aided network analysis",
author = "Shishir Nagaraja and Amir Houmansadr and Pratch Piyawongwisal and Vijit Singh and Pragya Agarwal and Nikita Borisov",
year = "2011",
month = "9",
day = "26",
doi = "10.1007/978-3-642-24178-9_21",
language = "English",
isbn = "9783642241772",
volume = "6958",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer",
pages = "299--313",
editor = "{Filler }, T. and {Pevn{\'y} }, T. and {Craver }, S. and {Ker }, A.",
booktitle = "Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers",

}

Nagaraja, S, Houmansadr, A, Piyawongwisal, P, Singh, V, Agarwal, P & Borisov, N 2011, Stegobot: a covert social network botnet. in T Filler , T Pevný , S Craver & A Ker (eds), Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers. vol. 6958 , Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6958 LNCS, Springer, Berlin, pp. 299-313, 13th International Conference on Information Hiding, IH 2011, Prague, Czech Republic, 18/05/11. https://doi.org/10.1007/978-3-642-24178-9_21

Stegobot : a covert social network botnet. / Nagaraja, Shishir; Houmansadr, Amir; Piyawongwisal, Pratch; Singh, Vijit; Agarwal, Pragya; Borisov, Nikita.

Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers. ed. / T. Filler ; T. Pevný ; S. Craver ; A. Ker . Vol. 6958 Berlin : Springer, 2011. p. 299-313 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6958 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

TY - GEN

T1 - Stegobot

T2 - a covert social network botnet

AU - Nagaraja, Shishir

AU - Houmansadr, Amir

AU - Piyawongwisal, Pratch

AU - Singh, Vijit

AU - Agarwal, Pragya

AU - Borisov, Nikita

PY - 2011/9/26

Y1 - 2011/9/26

N2 - We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay - bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful - capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.

AB - We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay - bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful - capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.

KW - social network

KW - online social network

KW - image steganography

KW - stego image

KW - covert channel

KW - behavioral research

KW - communication

KW - network routing

KW - computer aided network analysis

UR - http://www.scopus.com/inward/record.url?scp=80052986561&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-24178-9_21

DO - 10.1007/978-3-642-24178-9_21

M3 - Conference contribution book

SN - 9783642241772

VL - 6958

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 299

EP - 313

BT - Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers

A2 - Filler , T.

A2 - Pevný , T.

A2 - Craver , S.

A2 - Ker , A.

PB - Springer

CY - Berlin

ER -

Nagaraja S, Houmansadr A, Piyawongwisal P, Singh V, Agarwal P, Borisov N. Stegobot: a covert social network botnet. In Filler T, Pevný T, Craver S, Ker A, editors, Information Hiding - 13th International Conference, IH 2011, Revised Selected Papers. Vol. 6958 . Berlin: Springer. 2011. p. 299-313. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-24178-9_21