Detection of Zeus Bot Based on Host and Network Activities

Kalpika, Ramesh; Vasudevan, A. R.

doi:10.1007/978-981-10-6898-0_5

Ramesh Kalpika¹⁵ &
A. R. Vasudevan¹⁵

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 746))

Included in the following conference series:

International Symposium on Security in Computing and Communication

1032 Accesses
1 Citations

Abstract

Botnet is a network of host machines infected by malicious code. Infected machines are bots that perform illegitimate activities with the help of bot master who has remote control over the bot machine. The infected bot machine performs actions such as key logging, information harvesting, and Denial of Service. The challenge is to identify the Zeus bot activity by monitoring the network and host activities. Monitoring the network activities leads to identification of communication patterns between bot and outside network. Monitoring host activities can effectively identify abnormal host activities. In this paper we propose a methodology to analyse and identify the presence of Zeus bot. Analysis is performed by observing the host and network activities of a machine. Based on the analysis we propose a system that consists of three modules, viz: Folder monitoring, Network monitoring, and API Hooks monitoring. The folder monitoring module monitors the folder in which the Zeus bot executable gets stored. The network monitoring module deals with capturing the host network lively and compares with a predefined pattern which consists of the communication pattern between the bot and its master. The pattern is fixed after monitoring the network of the host machine before and after infection. The API hook monitoring module monitors the API hooks used for stealing the credentials. Finally the Integrated decision module is triggered which decides whether the system is infected by Zeus bot based on three conditions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_6
Chapter Google Scholar
Liu, L., Chen, S., Yan, G., Zhang, Z.: BotTracer: execution-based bot-like malware detection. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 97–113. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_7
Chapter Google Scholar
Park, Y., Reeves, D.S.: Identification of bot commands by runtime execution monitoring. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 321–330. IEEE, December 2009
Google Scholar
Zeng, Y., Hu, X., Shin, K.G.: Detection of botnets using combined host and network-level information. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 291–300. IEEE, June 2010
Google Scholar
Shin, S., Xu, Z., Gu, G.: EFFORT: efficient and effective bot malware detection. In: 2012 Proceedings of INFOCOM, pp. 2846–2850. IEEE, March 2012
Google Scholar
Ji, Y., Li, Q., He, Y., Guo, D.: Overhead analysis and evaluation of approaches to host-based bot detection. Int. J. Distrib. Sensor Netw. (2015)
Google Scholar
Thejiya, V., Radhika, N., Thanudhas, B.: J-Botnet detector: a java based tool for HTTP botnet detection. Int. J. Sci. Res. (IJSR) 5(7), 282–290 (2016)
Google Scholar
Bharathula, P., Mridula Menon, N.: Equitable machine learning algorithms to probe over P2P botnets. In: Das, S., Pal, T., Kar, S., Satapathy, S.C., Mandal, J.K. (eds.) Proceedings of the 4th International Conference on Frontiers in Intelligent Computing: Theory and Applications (FICTA) 2015. AISC, vol. 404, pp. 13–21. Springer, New Delhi (2016). https://doi.org/10.1007/978-81-322-2695-6_2
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

TIFAC-CORE in Cyber Security, Amrita University, Coimbatore, India
Ramesh Kalpika & A. R. Vasudevan

Authors

Ramesh Kalpika
View author publications
You can also search for this author in PubMed Google Scholar
A. R. Vasudevan
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ramesh Kalpika .

Editor information

Editors and Affiliations

Indian Institute of Information Technology and Management Kerala (IIITMK), Trivandrum, Kerala, India
Sabu M. Thampi
University of Murcia , Murcia, Spain
Gregorio Martínez Pérez
Federal University of Santa Catarina , Florianópolis, Santa Catarina, Brazil
Carlos Becker Westphall
RMIT University , Melbourne, Victoria, Australia
Jiankun Hu
National Sun Yat-sen University , Kaohsiung, Taiwan
Chun I. Fan
University of Murcia, Murcia, Spain
Félix Gómez Mármol

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kalpika, R., Vasudevan, A.R. (2017). Detection of Zeus Bot Based on Host and Network Activities. In: Thampi, S., Martínez Pérez, G., Westphall, C., Hu, J., Fan, C., Gómez Mármol, F. (eds) Security in Computing and Communications. SSCC 2017. Communications in Computer and Information Science, vol 746. Springer, Singapore. https://doi.org/10.1007/978-981-10-6898-0_5

Download citation

DOI: https://doi.org/10.1007/978-981-10-6898-0_5
Published: 10 November 2017
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-6897-3
Online ISBN: 978-981-10-6898-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics