A Bot Detection Method Based on Analysis of API Invocation

A Bot detection method based on API invocation was proposed to improve the existing approaches on detecting unknown Bots. Characteristics of Bots executing in a host were analyzed by observing API functions invocation. Then a new approach was proposed. Firstly, processes on the host were filtered using the white list and the blacklist. Then fast detection and sequence detection were incorporated to detect Bots. A series of experiments show that this approach needs not to depend on specific signature extracting and can detect unknown Bots in a host effectively.

[1]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[2]  Kevin W. Hamlen,et al.  Flow-based identification of botnet traffic by mining multiple log files , 2008, 2008 First International Conference on Distributed Framework and Applications.

[3]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[4]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[5]  Fei Liu,et al.  A novel Bot detection algorithm based on API call correlation , 2010, 2010 Seventh International Conference on Fuzzy Systems and Knowledge Discovery.

[6]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[7]  Uwe Aickelin,et al.  Detecting Botnets Through Log Correlation , 2010, ArXiv.