Host-Based Bot Detection Using Destination White-Lists for User’s Profile

  • B. Soniya
  • M. Wilscy
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 176)


Bots have become a popular vehicle for Internet crime. Bot detection is still a challenging task since bot developers come up with techniques for evading detection. Most bot detection techniques are network based and rely on correlation of behavior among similar hosts. Besides, network based systems deal with voluminous traffic and result in non-negligible false alarms. We propose a host-based detection technique leveraging the recurring patterns in the traffic generated by processes in a single user’s profile. From outgoing traffic in an un-infected host, destination white-lists for a user profile are generated. These white-lists along with bot behavior are used for detection. We were able to detect two real life bots using our method.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium (SS 2008). USENIX Association, Berkeley (2008)Google Scholar
  2. 2.
    Zang, X., Tangpong, A., Kesidis, G., Miller, D.J.: CSE Dept Technical Report on Botnet Detection through Fine Flow Classification Report No. CSE11-001 (2011)Google Scholar
  3. 3.
    Law, F.Y.W., Chow, K.P., Lai, P.K.Y., Tse, H.K.S.: A Host-Based Approach to BotNet Investigation? In: Goel, S. (ed.) ICDF2C 2009. LNICST, vol. 31, pp. 161–170. Springer, Heidelberg (2010)Google Scholar
  4. 4.
    Fedynyshyn, G., Chuah, M.C., Tan, G.: Detection and Classification of Different Botnet C&C Channels. In: Calero, J.M.A., Yang, L.T., Mármol, F.G., García Villalba, L.J., Li, A.X., Wang, Y. (eds.) ATC 2011. LNCS, vol. 6906, pp. 228–242. Springer, Heidelberg (2011)Google Scholar
  5. 5.
    Strayer, W., Lapsley, D., Walsh, B., Livadas, C.: Botnet Detection Based on Network Behavior. In: Botnet Detection. Advances in Information Security, vol. 36, pp. 1–24. Springer, Heidelberg (2008)Google Scholar
  6. 6.
    Borgaonkar, R.: An Analysis of the Asprox Botnet. In: 4th International Conference on Emerging Security Information Systems and Technologies (2010)Google Scholar
  7. 7.
    Stone-Gross, B., et al.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: CCS 2009 Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, New York (2009)Google Scholar
  8. 8.
    Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the Analysis of the Zeus Botnet Crimeware Toolkit. In: Eighth Annual International Conference on Privacy, Security and TrustGoogle Scholar
  9. 9.
    Sinha, P., Boukhtouta, A., Belarde, V.H., Debbabi, M.: Insights from the Analysis of the Mariposa Botnet. In: Fifth International Conference on Risks and Security of Internet Systems (2010)Google Scholar
  10. 10.
    Takemori, K., Nishigaki, M., Takami, T., Miyake, Y.: Detection of Bot Infected PCs using Destination-based IP and Domain Whitelists during a non-operating term. In: IEEE Global Telecommunications Conference, IEEE GLOBECOM (2008)Google Scholar
  11. 11.
    Liu, L., Chen, S., Yan, G., Zhang, Z.: BotTracer: Execution-Based Bot-Like Malware Detection. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 97–113. Springer, Heidelberg (2008)Google Scholar
  12. 12.
    Morales, J.A., Kartaltepe, E., Xu, S., Sandhu, R.: Symptoms-Based Detection of Bot Processes. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2010. LNCS, vol. 6258, pp. 229–241. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Xiong, H., Malhotra, P., Stefan, D., Wu, C., Yao, D.: User-Assisted Host-Based Detection of Outbound Malware Traffic. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 293–307. Springer, Heidelberg (2009)Google Scholar
  14. 14.
    Kwon, J., Lee, J., Lee, H.: Hidden Bot Detection by Tracing Non-human Generated Traffic at the Zombie Host. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 343–361. Springer, Heidelberg (2011)Google Scholar
  15. 15.
    Nazario, J.: Blackenergy DDoS bot analysis. Arbor Networks, Tech. Rep. (2007)Google Scholar
  16. 16.

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.Dept. of Computer ScienceKerala UniversityKaryavattomIndia

Personalised recommendations