BotTracer: Execution-based bot-like malware detection

Lei Liu; Songqing Chen; Guanhua Yan; Zhao Zhang

doi:10.1007/978-3-540-85886-7_7

BotTracer: Execution-based bot-like malware detection

Lei Liu
, Songqing Chen
, Guanhua Yan
, Zhao Zhang

School of Computing

Binghamton University

George Mason University
Iowa State University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

55 Scopus citations

Abstract

Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.

Original language	English
Title of host publication	Information Security - 11th International Conference, ISC 2008, Proceedings
Pages	97-113
Number of pages	17
DOIs	https://doi.org/10.1007/978-3-540-85886-7_7
State	Published - 2008
Event	11th International Conference on Information Security, ISC 2008 - Taipei, Taiwan, Province of China Duration: Sep 15 2008 → Sep 18 2008

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5222 LNCS

Conference

Conference	11th International Conference on Information Security, ISC 2008
Country/Territory	Taiwan, Province of China
City	Taipei
Period	09/15/08 → 09/18/08

Keywords

Botnet
Malware detection
Virtual machine

Access to Document

10.1007/978-3-540-85886-7_7

Cite this

Liu, L., Chen, S., Yan, G., & Zhang, Z. (2008). BotTracer: Execution-based bot-like malware detection. In Information Security - 11th International Conference, ISC 2008, Proceedings (pp. 97-113). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5222 LNCS). https://doi.org/10.1007/978-3-540-85886-7_7

@inproceedings{a7987337b9cb46fb8c288937a08c4387,

title = "BotTracer: Execution-based bot-like malware detection",

abstract = "Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.",

keywords = "Botnet, Malware detection, Virtual machine",

author = "Lei Liu and Songqing Chen and Guanhua Yan and Zhao Zhang",

year = "2008",

doi = "10.1007/978-3-540-85886-7\_7",

language = "English",

isbn = "3540858849",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "97--113",

booktitle = "Information Security - 11th International Conference, ISC 2008, Proceedings",

note = "11th International Conference on Information Security, ISC 2008 ; Conference date: 15-09-2008 Through 18-09-2008",

}

Liu, L, Chen, S, Yan, G & Zhang, Z 2008, BotTracer: Execution-based bot-like malware detection. in Information Security - 11th International Conference, ISC 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5222 LNCS, pp. 97-113, 11th International Conference on Information Security, ISC 2008, Taipei, Taiwan, Province of China, 09/15/08. https://doi.org/10.1007/978-3-540-85886-7_7

BotTracer: Execution-based bot-like malware detection. / Liu, Lei; Chen, Songqing; Yan, Guanhua et al.
Information Security - 11th International Conference, ISC 2008, Proceedings. 2008. p. 97-113 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5222 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - BotTracer

T2 - 11th International Conference on Information Security, ISC 2008

AU - Liu, Lei

AU - Chen, Songqing

AU - Yan, Guanhua

AU - Zhang, Zhao

PY - 2008

Y1 - 2008

N2 - Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.

AB - Bot-like malware has posed an immense threat to computer security. Bot detection is still a challenging task since bot developers are continuously adopting advanced techniques to make bots more stealthy. A typical bot exhibits three invariant features along its onset: (1) the startup of a bot is automatic without requiring any user actions; (2) a bot must establish a command and control channel with its botmaster; and (3) a bot will perform local or remote attacks sooner or later. These invariants indicate three indispensable phases (startup, preparation, and attack) for a bot attack. In this paper, we propose BotTracer to detect these three phases with the assistance of virtual machine techniques. To validate BotTracer, we implement a prototype of BotTracer based on VMware and Windows XP Professional. The results show that BotTracer has successfully detected all the bots in the experiments without any false negatives.

KW - Botnet

KW - Malware detection

KW - Virtual machine

UR - https://www.scopus.com/pages/publications/56649124591

U2 - 10.1007/978-3-540-85886-7_7

DO - 10.1007/978-3-540-85886-7_7

M3 - Conference contribution

SN - 3540858849

SN - 9783540858843

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 97

EP - 113

BT - Information Security - 11th International Conference, ISC 2008, Proceedings

Y2 - 15 September 2008 through 18 September 2008

ER -

BotTracer: Execution-based bot-like malware detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this