International Conference on Information Security Practice and Experience

ISPEC 2014: Information Security Practice and Experience pp 75-89

A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches

  • Yuede Ji
  • Yukun He
  • Dewei Zhu
  • Qiang Li
  • Dong Guo
Conference paper

DOI: 10.1007/978-3-319-06320-1_7

Volume 8434 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Ji Y., He Y., Zhu D., Li Q., Guo D. (2014) A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches. In: Huang X., Zhou J. (eds) Information Security Practice and Experience. ISPEC 2014. Lecture Notes in Computer Science, vol 8434. Springer, Cham

Abstract

Botnet has become one of the most serious threats to Internet security. According to detection location, existing approaches can be classified into two categories: host-based, and network-based. Among host-based approaches, behavior-based are more practical and effective because they can detect the specific malicious process. However, most of these approaches target on conventional single process bot. If a bot is separated into two or more processes, they will be less effective. In this paper, we propose a new evasion mechanism of bot, multiprocess mechanism. We first identify two specific features of multiprocess bot: separating C&C connection from malicious behaviors, and assigning malicious behaviors to several processes. Then we further theoretically analyze why behavior-based bot detection approaches are less effective with multiprocess bot. After that, we present two critical challenges of implementing multiprocess bot. Then we implement a single process and multiprocess bot, and use signature and behavior detection approaches to evaluate them. The results indicate that multiprocess bot can effectively decrease the detection probability compared with single process bot. Finally we propose the possible multiprocess bot architectures and extension rules, and expect they can cover most situations.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Yuede Ji
    • 1
  • Yukun He
    • 1
  • Dewei Zhu
    • 1
  • Qiang Li
    • 1
  • Dong Guo
    • 1
  1. 1.College of Computer Science and TechnologyJilin UniversityChangchunChina