MONDEO: Multistage Botnet Detection

TL;DR

MONDEO is a lightweight, multistage detection system for DNS-based mobile botnets like FluBot, utilizing network analysis and machine learning to identify malicious activity efficiently without requiring device software installation.

Contribution

It introduces a novel multistage detection framework that can be deployed in core networks to detect DNS-based botnets on mobile devices without device modification.

Findings

High detection accuracy with RandomForest classifiers

Effective in processing packet streams for attack identification

Achieved high performance in diverse datasets

Abstract

Mobile devices have widespread to become the most used piece of technology. Due to their characteristics, they have become major targets for botnet-related malware. FluBot is one example of botnet malware that infects mobile devices. In particular, FluBot is a DNS-based botnet that uses Domain Generation Algorithms (DGA) to establish communication with the Command and Control Server (C2). MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. It was created with the goal of processing streams of packets to identify attacks with high efficiency, in the distinct phases. MONDEO was tested against several datasets to measure its efficiency and performance, being able to achieve high performance with RandomForest classifiers. The implementation is available at github.