BotRevealer: Behavioral Detection of Botnets based on Botnet Life-cycle

Nowadays, botnets are considered as essential tools for planning serious cyberattacks. Botnets are used to perform various malicious activities such as DDoSattacks and sending spam emails. Different approaches are presented to detectbotnets; however most of them may be ineffective when there are only a fewinfected hosts in monitored network, as they rely on similarity in bots activitiesto detect the botnet. In this paper, we present a host-based method that candetect individual bot-infected hosts. This approach is based on botnet life-cycle,which includes common symptoms of almost all types of botnet despite theirdifferences. We analyze network activities of each process running on thehost and propose some heuristics to distinguish behavioral patterns of botprocess from legitimate ones based on statistical features of packet sequencesand evaluating an overall security risk for it. To show the effectiveness of theapproach, a tool named BotRevealer has been implemented and evaluatedusing real botnets and several popular applications. The results show that inspite of diversity of botnets, BotRevealer can effectively detect the bot processamong other active processes.