BotTracer: Execution-Based Bot-Like Malware Detection
نویسندگان
چکیده
Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.
منابع مشابه
DyVSoR: dynamic malware detection based on extracting patterns from value sets of registers
To control the exponential growth of malware files, security analysts pursue dynamic approaches that automatically identify and analyze malicious software samples. Obfuscation and polymorphism employed by malwares make it difficult for signature-based systems to detect sophisticated malware files. The dynamic analysis or run-time behavior provides a better technique to identify the threat. In t...
متن کاملAdaptability of IRC Botnet Detection Method to P2P Botnet Detection
This report mainly discusses the adaptability of the IRC-based Bot detection method to be used in the P2P-based Bot detection. The first section introduces the IRC-based bot and the newly appeared P2P-based bot to see their difference. The second section shows the related work and the traditional method of BOTNET detection. The third section discusses the methodology used by the IRC based Botne...
متن کاملNepenthes Honeypots based Botnet Detection
Thenumbers of the botnet attacks areincreasing day by day and the detection of botnet spreading in the network has become very challenging. Bots are having specific characteristics incomparison of normal malware as they are controlled by the remote master server and usually don’t show their behavior like normal malware until they don’t receive any command from their master server. Most of time ...
متن کاملCollecting and Analyzing Bots in a Systematic Honeynet-based Testbed Environment
Networks of compromised machines called botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with new unknown bots. By slightly modifying the code of an existing bot, bot commanders can bypass mos...
متن کاملCombining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments
We propose a detection mechanism that takes the advantage of virtualized environment and combines both passive and active detection approaches for detecting bot malware. Our proposed passive detection agent lies in the virtual machine monitor to profile the bot behavior and check against it with other hosts. The proposed active detection agent that performs active bot fingerprinting can send sp...
متن کامل