Skip to main content
SpringerLink
Log in

A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches

  • Conference paper
Book cover Information Security Practice and Experience (ISPEC 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8434))

Abstract

Botnet has become one of the most serious threats to Internet security. According to detection location, existing approaches can be classified into two categories: host-based, and network-based. Among host-based approaches, behavior-based are more practical and effective because they can detect the specific malicious process. However, most of these approaches target on conventional single process bot. If a bot is separated into two or more processes, they will be less effective. In this paper, we propose a new evasion mechanism of bot, multiprocess mechanism. We first identify two specific features of multiprocess bot: separating C&C connection from malicious behaviors, and assigning malicious behaviors to several processes. Then we further theoretically analyze why behavior-based bot detection approaches are less effective with multiprocess bot. After that, we present two critical challenges of implementing multiprocess bot. Then we implement a single process and multiprocess bot, and use signature and behavior detection approaches to evaluate them. The results indicate that multiprocess bot can effectively decrease the detection probability compared with single process bot. Finally we propose the possible multiprocess bot architectures and extension rules, and expect they can cover most situations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: A survey. Computer Networks (2012)

    Google Scholar 

  2. Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, p. 8 (2007)

    Google Scholar 

  3. Stinson, E., Mitchell, J.C.: Characterizing bots remote control behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  4. Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 351–366. USENIX Association (2009)

    Google Scholar 

  5. Shin, S., Xu, Z., Gu, G.: Effort: Efficient and effective bot malware detection. In: 2012 Proceedings of the IEEE INFOCOM, pp. 2846–2850 (2012)

    Google Scholar 

  6. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p. 12. USENIX Association (2007)

    Google Scholar 

  8. Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)

    Google Scholar 

  9. Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic (2008)

    Google Scholar 

  10. Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 8–13. IEEE (2011)

    Google Scholar 

  11. Fan, L., Wang, Y., Cheng, X., Li, J., Jin, S.: Privacy theft malware multi-process collaboration analysis. In: Security and Communication Networks (2013)

    Google Scholar 

  12. Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.-C.: Shadow attacks: Automatically evading system-call-behavior based malware detection. Journal in Computer Virology 8(1-2), 1–13 (2012)

    Article  Google Scholar 

  13. Microsoft security intelligence report, http://www.microsoft.com/security/sir/story/default.aspx#!zbot (accessed November 2013)

    Google Scholar 

  14. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)

    Google Scholar 

  15. Park, Y., Reeves, D.S.: Identification of bot commands by run-time execution monitoring. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 321–330. IEEE (2009)

    Google Scholar 

  16. Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Security Symposium (2011)

    Google Scholar 

  17. http://www.nektra.com/products/deviare-api-hook-windows/ (accessed November 2013)

  18. Liu, L., Chen, S., Yan, G., Zhang, Z.: Bottracer: Execution-based bot-like malware detection. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 97–113. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  19. Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials 9(3), 44–57 (2007)

    Article  Google Scholar 

  20. Aciiçmez, O., Koç, Ç.K., Seifert, J.-P.: On the power of simple branch prediction analysis. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 312–320. ACM (2007)

    Google Scholar 

  21. Percival, C.: Cache missing for fun and profit (2005)

    Google Scholar 

  22. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 31–38. IEEE (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Jilin University, Changchun, China, 130012

    Yuede Ji, Yukun He, Dewei Zhu, Qiang Li & Dong Guo

Authors
  1. Yuede Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yukun He
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dewei Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qiang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dong Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Mathematics and Computer Science, Fujian Normal University, No. 32 Shangsan Road, 350007, Fuzhou, China

    Xinyi Huang

  2. Infocom Security Department, Institute for Infocomm Research, 1 Fusionopolis Way, #21-01 Connexis, South Tower, 138632, Singapore, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Ji, Y., He, Y., Zhu, D., Li, Q., Guo, D. (2014). A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches. In: Huang, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2014. Lecture Notes in Computer Science, vol 8434. Springer, Cham. https://doi.org/10.1007/978-3-319-06320-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-06320-1_7

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-06319-5

  • Online ISBN: 978-3-319-06320-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation