Mobile BOTNET Detection: A Machine Learning Approach using SVM

Abstract

Mobile botnets have become a growing cybersecurity concern, leveraging infected Android devices for malicious activities such as DDoS attacks, phishing, and credential theft. Detecting these threats requires advanced techniques due to their evasive nature. This paper proposes a machine learning-based detection system utilizing Support Vector Machine (SVM) to classify applications as benign or malicious. The model extracts and analyses 342 static features from Android applications to identify anomalous behaviour. Evaluated in a real-world setting, the approach demonstrates high detection accuracy with minimal false positives. The findings suggest that machine learning, particularly SVM, is an effective tool for mobile botnet detection. Future enhancements include expanding datasets and incorporating deep learning to improve detection performance and adaptability.

Introduction

The rise of mobile technology, especially Android, has increased cybersecurity threats from mobile botnets—networks of compromised devices used for malicious activities like DDoS attacks and data theft. Due to Android’s open nature, detecting these botnets is challenging as they often hide in legitimate-looking apps.

This study proposes a Support Vector Machine (SVM)-based detection system that analyzes 342 static features extracted through reverse engineering of Android apps. The system classifies applications as benign or botnet-infected by focusing on anomaly detection, improving accuracy and reducing false positives compared to traditional methods. SVM’s adaptability helps detect new botnet variants in real time.

The paper also reviews prior botnet detection methods, including neuro-fuzzy systems, behavioral models, deep learning, and epidemiological modeling, noting challenges like dataset limitations and evasion tactics.

Methodology includes:

• Collecting diverse datasets of benign and malicious apps.

• Data preprocessing to clean and normalize inputs.

• Extracting features such as permission use, system calls, network behavior, and code structure.

• Training the SVM classifier to distinguish botnet apps based on these features.

• Real-time classification of new apps for detection.

System architecture features a React.js frontend for user interaction, a Flask backend hosting the model, and a SQL database managing data. Performance is measured using accuracy, precision, and recall.

The study highlights machine learning, especially SVM, as a powerful approach to mobile botnet detection, with future work aimed at incorporating deep learning and expanding datasets to enhance detection capabilities.

Conclusion

The study explores the effectiveness of various machine learning models in mobile botnet detection, demonstrating that different algorithms perform optimally based on application size. CNN achieves the highest accuracy (~96%) for small applications (<20MB), SVM proves to be the best for medium-sized applications (20MB–60MB) with ~94% accuracy, while DNN is the most effective for large applications (>60MB) at ~91%. These results highlight the importance of selecting the appropriate model based on resource constraints and application complexity. Moreover, SVM-based botnet detection outperforms traditional techniques such as signature-based, rule-based, and anomaly-based methods. With an accuracy of ~95%, a false positive rate of ~6%, and a fast detection time of 1.2 seconds, SVM provides a reliable and efficient solution for real-time botnet threat detection. Traditional methods, though still relevant, exhibit lower accuracy (75%–85%) and higher false positive rates, making them less suitable for modern cyber threats. Overall, the findings emphasize the necessity of employing machine learning models tailored to specific application needs. SVM emerges as a strong candidate for balancing accuracy, efficiency, and computational cost. Future research could focus on hybrid approaches combining multiple models to further enhance detection accuracy and adaptability against evolving cyber threats.

References

[1] Thamaraimanalan, K., Marimuthu, P., & Rajalakshmi, R., \"ANFIS-Based Multilayered Algorithm for Botnet Detection,\" IEEE Access, vol. 11, pp. 13059-13071, 2023. [2] Almuhaideb, A., & Alynanbaawi, A., \"Applications of Artificial Intelligence to Detect Android Botnets: A Survey,\" International Journal of Information Security and Privacy, vol. 16, no. 1, pp. 1-23, 2022. [3] Shafi, M., Jha, R. K., & Jain, S., \"Behavioral Model for Live Detection of Apps-Based Attacks,\" IEEE Transactions on Computational Social Systems, vol. 10, no. 3, pp. 934-948, 2023. [4] Abdelrazek, L., Fuladi, R., Kövér, J., Karaçay, L., & Gülen, U., \"Detecting IP DDoS Attacks Using 3GPP Radio Protocols,\" IEEE Access, vol. 12, pp. 24776-24789, 2024. [5] Rabhi, S., Abbes, T., & Zarai, F., \"IoT Botnet Detection Using Deep Learning,\" 2023 International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1107-1112, 2023. [6] Mahboubi, A., Camtepe, S., & Ansari, K., \"Stochastic Modeling of IoT Botnet Spread: A Short Survey on Mobile Malware Spread Modeling,\" IEEE Access, vol. 8, pp. 228818-228832, 2020.

Copyright

Copyright © 2025 Vinode Wadne, Aarya Gundu, Ritesh Patil, Rushikesh KandalKar, Sahil Yadav, Rohan Salunke. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.