MOBILE BOTNET DETECTION: A Machine Learning Approach using SVM

Abstract

Mobile botnets have become a growing cybersecurity concern, leveraging infected Android devices for malicious activities such as DDoS attacks, phishing, and credential theft. Detecting these threats requires advanced techniques due to their evasive nature. This paper proposes a machine learning-based detection system utilizing Support Vector Machine (SVM) to classify applications as benign or malicious. The model extracts and analyses 342 static features from Android applications to identify anomalous behaviour. Evaluated in a real-world setting, the approach demonstrates high detection accuracy with minimal false positives. The findings suggest that machine learning, particularly SVM, is an effective tool for mobile botnet detection. Future enhancements include expanding datasets and incorporating deep learning to improve detection performance and adaptability.

Introduction

???? Overview: Rise of Mobile Botnets

• The growing use of mobile devices—especially Android—has increased vulnerability to cyber threats, particularly botnets.

• Mobile botnets are networks of infected devices controlled by a botmaster via Command & Control (C&C) servers to perform malicious actions like:

  • DDoS attacks

  • Phishing

  • Credential theft

  • Spam distribution

• Android is especially targeted due to its open-source structure and flexible app installations.

????? Proposed Solution: SVM-Based Detection

• A machine learning approach using Support Vector Machine (SVM) is proposed to detect mobile botnets.

• The system analyzes 342 static features (e.g., permissions, system calls, network behavior, code structure) extracted via reverse engineering.

• The SVM classifier learns to distinguish between benign and malicious apps, improving detection accuracy and reducing false positives.

???? Literature Review Highlights

• Thamaraimanalan et al.: ANFIS-based detection with 99.83% accuracy; struggles with adaptive botnets.

• Almuhaideb & Alynanbaawi: Reviewed hybrid static-dynamic analysis but noted outdated datasets and lack of time-series tracking.

• Shafi et al.: Behavioral analysis based on power/data usage; energy-intensive.

• Abdelrazek et al.: DDoS detection using cellular protocols; requires deep telecom integration.

• Rabhi et al.: Deep learning for Mirai detection; limited against variant botnets.

• Mahboubi et al.: Botnet propagation modeling; lacks real-time detection.

Key Takeaway: While existing solutions show promise, they suffer from high costs, energy usage, limited adaptability, and dataset issues.

?? System Methodology

1. Data Collection

• Uses public datasets like ISCX Android Botnet Dataset and Kaggle Malware Datasets.

• Regular updates ensure inclusion of new botnet variants.

2. Data Preprocessing

• Cleaning, noise reduction, normalization enhance data quality for training.

3. Feature Extraction

• Extracts 342 static features from APKs, including:

  • Permissions

  • System calls

  • Network behavior

  • Code analysis

4. Model Training: Support Vector Machine (SVM)

• SVM builds a decision boundary (hyperplane) to separate benign from malicious apps.

• Optimizes support vectors for better classification.

5. Classification & Detection

• Users upload an APK

• Features are extracted and classified

• App is labeled as benign (0) or botnet-infected (1)

????? System Architecture

• Client Layer: React.js frontend for app uploads and result display.

• Server Layer: Flask-based backend hosts ML model and handles requests.

• Database Layer: SQL database stores app data, features, and model outputs.

???? Performance Evaluation

• High performance proves the SVM model’s reliability in real-world detection.

• Slightly lower recall for botnet apps shows room for enhancement.

???? Future Directions

• Integrate deep learning for more adaptive detection.

• Expand datasets to improve generalization.

• Continue refining hybrid static-dynamic analysis.

Conclusion

Implementing an SVM-based approach for mobile botnet detection offers a scalable and efficient security solution. By extracting static features like permissions, system calls, network behavior, and code structure, the SVM classifier differentiates between benign and botnet-infected apps with high accuracy and minimal false positives. This method is ideal for resource-constrained devices due to its lower computational requirements compared to deep learning. With continuous feature optimization, the SVM framework can adapt to evolving botnet tactics. Future research may explore hybrid models or ensemble methods to enhance detection. Overall, the SVM-based system strengthens mobile security, ensuring resilience against evolving botnet threats in an interconnected world.

References

[1] Thamaraimanalan, K., Marimuthu, P., &Rajalakshmi, R., \"ANFIS-Based Multilayered Algorithm for Botnet Detection,\" IEEE Access, vol. 11, pp. 13059-13071, 2023. [2] Almuhaideb, A., &Alynanbaawi, A., \"Applications of Artificial Intelligence to Detect Android Botnets: A Survey,\" International Journal of Information Security and Privacy, vol. 16, no. 1, pp. 1-23, 2022. [3] Shafi, M., Jha, R. K., & Jain, S., \"Behavioral Model for Live Detection of Apps-Based Attacks,\" IEEE Transactions on Computational Social Systems, vol. 10, no. 3, pp. 934-948, 2023. [4] Abdelrazek, L., Fuladi, R., Kövér, J., Karaçay, L., &Gülen, U., \"Detecting IP DDoS Attacks Using 3GPP Radio Protocols,\" IEEE Access, vol. 12, pp. 24776-24789, 2024. [5] Rabhi, S., Abbes, T., &Zarai, F., \"IoT Botnet Detection Using Deep Learning,\" 2023 International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1107-1112, 2023. [6] Mahboubi, A., Camtepe, S., & Ansari, K., \"Stochastic Modeling of IoT Botnet Spread: A Short Survey on Mobile Malware Spread Modeling,\" IEEE Access, vol. 8, pp. 228818-228832, 2020.

Copyright

Copyright © 2025 Vinod Wadne , Aarya Gundu, Ritesh Patil, Rohan Salunke, Rushikesh Kandalkar. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.