Abstract
Botnets have become the most powerful tool for attackers to victimize countless users across cyberspace. Previous work on botnet detection has mainly focused on identifying infected bot computers or IP addresses and not on identifying bot processes on a host machine. This paper aims to fill this gap by presenting a bot process detection technique based on process symptoms such as: TCP connection attempts, DNS activities, digital signatures, unauthorized process tampering, and process hiding. We partition symptoms into sets which are input into classifiers generating individual detection models which are later appropriately integrated so as to improve the detection accuracy. The integrated approach correctly identified two bot processes and did not produced any false positives and false negatives.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Collins, M.P., Shimeall, T.J., Faber, S., Janies, J., Weaver, R., De Shon, M., Kadane, J.: Using uncleanliness to predict future botnet addresses. In: IMC 2007: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, pp. 93–104. ACM, New York (2007)
Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Computer Security Applications Conference, Annual, pp. 325–339 (2007)
Filiol, E.: Computer Viruses: from Theory to Applications. IRIS International series. Springer, Heidelberg (2005), iSBN 2-287-23939-1
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: HotBots 2007: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 8. USENIX Association, Berkeley (2007)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium, Security 2008 (2008)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (February 2008)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET 2008: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9. USENIX Association, Berkeley (2008)
Hu, X., Knysz, M., Shin, K.G.: Rb-seeker: Auto-detection of redirection botnets. In: 16th Annual Network and Distributed System Security Symposium (2009)
Husse, C.: Easyhook 2.6, http://www.codeplex.com/easyhook
Mamaladze, G.: Globalhook, http://www.codeproject.com/KB/cs/globalhook.aspx
Morales, J.A., Clarke, P.J., Deng, Y., Kibria, B.G.: Identification of file infecting viruses through detection of self-reference replication. Journal in Computer Virology Special EICAR Conference Invited Paper Issue (2008)
Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 24–31 (2008)
Remote dll injection application, http://www.novell.com/coolsolutions/tools/17354.html
Sigcheck 1.6, http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
Sun, H.M., Tseng, Y.T., Lin, Y.H., Chiang, T.J.: Detecting the code injection by hooking system calls in windows kernel mode. In: 2006 International Computer Symposium, ICS 2006 (2006)
Szor, P.: The Art of Computer Virus Research and Defense. Symantec Press & Addison-Wesley (2005)
Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)
Zhu, Z., Yegneswaran, V., Chen, Y.: Using failure information analysis to detect enterprise zombies. In: 5th International ICST Conference on Security and Privacy in Communication Networks, Securecomm 2009 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Morales, J.A., Kartaltepe, E., Xu, S., Sandhu, R. (2010). Symptoms-Based Detection of Bot Processes. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2010. Lecture Notes in Computer Science, vol 6258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14706-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-14706-7_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14705-0
Online ISBN: 978-3-642-14706-7
eBook Packages: Computer ScienceComputer Science (R0)