BotCatch:行为与签名关联的机器人检测方法
156 浏览量
更新于2024-08-29
收藏 172KB PDF 举报
"BotCatch: A behavior and signature correlated bot detection approach"
在网络安全领域,尤其是面对日益严重的威胁——僵尸网络,一种新型的检测方法“BotCatch”被提出,它结合了行为分析与签名分析来提高检测的准确性和效率。该方法旨在通过主机基检测策略,深入洞察未知bots的行为模式,从而实现对终端上bot的有效识别与消除。
BotCatch由四个主要组件构成:分析引擎、签名分析引擎、行为分析引擎和关联引擎。分析引擎是整个系统的核心,它负责接收并分配可疑样本到相应的分析模块。签名分析引擎专注于基于已知特征(或签名)的检测,通常这些特征是过去已识别的恶意软件或bot活动的典型标记。通过比对样本与已知签名库,可以识别出与已知威胁匹配的活动。
另一方面,行为分析引擎关注的是样本的行为模式,它采用了行为基检测方法,分析可疑进程的行为特征,如异常的网络通信模式、文件操作、注册表修改等。这种方法对于检测未知的或变种bot尤其有效,因为它依赖于行为而非预定义的签名。行为分析引擎通过学习和理解正常与异常行为的差异,来识别潜在的bot行为。
关联引擎则是BotCatch的关键创新点,它将签名分析的结果与行为分析的结果进行整合。即使单独的签名或行为分析可能不足以确认bot,但当两种分析结果相互印证时,就能提高检测的置信度。关联引擎通过反馈机制动态调整和优化检测策略,以适应不断演变的botnet威胁。
此外,BotCatch还考虑了学习过程,它可以通过机器学习算法持续学习和更新对bot行为的理解。这有助于系统适应新的攻击模式,并提升未来的检测能力。通过这样的综合分析,BotCatch能够提供更全面、更准确的bot检测,为互联网安全提供了更强大的防护手段。
BotCatch是一个创新的解决方案,它融合了传统的签名分析与先进的行为分析,以及它们之间的关联分析,以应对复杂多变的僵尸网络威胁。其设计思路和实施策略对于提升网络安全防御水平具有重要的理论价值和实际应用意义。
BotCatch: A Behavior and Signature Correlated Bot
Detection Approach
Yuede Ji and Yukun He
College of Computer Science and Technology,
Jilin University,
Changchun Jilin, China,
Email: {jiyd12, heyk12}@mails.jlu.edu.cn
Qiang Li and Dong Guo
College of Computer Science and Technology,
Jilin University,
Changchun Jilin, China,
Email: {li qiang, guodong}@jlu.edu.cn
Abstract—Botnet has become one of the most serious threats
to Internet security. Compared with network-based bot detection
approaches, host-based approaches can discover more insights
of unknown bots, and we may completely eliminate bots if we
can successfully detect them on end-host. Host-based approaches
mainly include signature and behavior-based detection approach-
es. In this paper we propose a behavior and signature correlated
bot detection approach, BotCatch. Firstly, we present the design
of BotCatch. There are four components in BotCatch: analysis
engine, signature analysis engine, behavior analysis engine, and
correlation engine. The analysis engine assigns the suspicious
sample to signature analysis engine and behavior analysis engine.
These two engines analyze the sample and generate signature and
behavior analysis result. Then correlation engine correlates these
two analysis results to generate the final detection result. There
is also a feedback mechanism which presents the correlation
result to behavior analysis engine to guide its learning procedure.
Secondly, we analyze the effectiveness of our correlation approach
compared with signature-based and behavior-based bot detection
approach. The analysis indicate that our correlation approach can
effectively improve the detection accuracy. Thirdly, we evaluate
our approach through experiments and the result indicate that
our approach can detect bots effectively.
Keywords—bot detection; host based; behavior and signature;
correlation; feedback;
I. INTRODUCTION
Botnet has become one of the most serious threats to
Internet security [1]. A bot is a host compromised by malwares
under the control of the botmaster through Command and
Control (C&C) channel (i.e., IRC, HTTP, P2P, etc.). A large
scale of bots form a botnet. The botmaster can utilize botnet
to conduct various cyber crimes such as spreading malwares,
DDoS attacks, spamming, phishing, and other cyber crimes.
Botnet has become the major platform for most online criminal
activities.
In order to defend bots, a large number of researches have
been carried on regarding the detection of bot and botnet. Ac-
cording to the execution location, existing approaches can be
divided into three categories: host-based approaches, network-
based approaches, and host and network correlation approach-
es. (1) Host-based approaches mainly include signature- and
behavior-based detection approaches [2]. Signature-based de-
tection approaches mainly extract the feature information of
the suspicious program to match with a knowledge database
of existing bot, such as Rishi [3]. Behavior-based detection
approaches monitor the abnormal behaviors on hosts to de-
termine whether the host is infected, such as the status of
operating system, the running status of suspicious programs,
access to suspicious Registries, files, system call sequences,
etc. [4], [5], [6]. (2) Network-based approaches mainly analyze
the network traffic to filter out the host which has abnormal
traffics [7]. Network-based approaches will be ineffective
with traffic encrypted, C&C protocols changed, etc. These
approaches are not able to identify the malicious process.
(3) Host and network correlation approaches correlate host
information with network traffic to detect bots [8], [9]. This is
a new detection mechanism at the exploration stage because
existing approaches still have the problems of both host- and
network- based approaches.
Compared with network-based approaches, host-based ap-
proaches can discover more insights of unknown bots, and
more importantly, we may completely eliminate the bot if we
can successfully detect it on end-host. In signature-based bot
detection approaches, the known bot programs and suspicous
programs do not need to run. Thus signature-based approaches
have low risks. While behavior-based approaches need to run
all of them, thus they have high risks. Signature-based ap-
proaches use the match method to generate the detection result,
if the match result reaches a level the program is regarded as
bot. Thus it can only detect known bots, to be more specific,
it can only detect the bots in the knowledge database. While
behavior-based approaches monitors the real execution behav-
iors to determine whether the programs are malicious. Thus
they can detect unkown bots. Most signature-based approaches
have low false positives because they are based on the strict
match result. They have different false negatives according
to the difference between experiment data and knowledge
database. While in behavior detection approaches, up-to-date
bot programs use many hidden mechanisms and act like benign
programs. Thus behavior-based approaches have low detection
accuracy. From the perspective of overhead, signature-based
approaches only analyze the suspicious binary to extract its
signature, while behavior-based approaches need to monitor
all the system calls. Thus signature-based approaches have low
overhead and behavior-based approaches have high overhead.
Up-to-date bots use many obfuscation techniques to evade
the detection, and these techniques can evade signature-based
approaches while well-designed behavior-based approaches
are still able to detect them. The comparison of these two
approaches are summarized in Table I.
2013 IEEE International Conference on High Performance Computing and Communications & 2013 IEEE International Conference
on Embedded and Ubiquitous Computing
978-0-7695-5088-6/13 $31.00 © 2013 IEEE
DOI 10.1109/HPCC.and.EUC.2013.230
1634
下载后可阅读完整内容,剩余5页未读,立即下载
2009-07-20 上传
185 浏览量
2023-06-11 上传
2023-06-11 上传
2023-06-11 上传
2023-05-30 上传
2024-09-27 上传
2023-06-13 上传
weixin_38624746
- 粉丝: 3
- 资源: 946
我的内容管理
展开
最新资源
- JHU荣誉单变量微积分课程教案介绍
- Naruto爱好者必备CLI测试应用
- Android应用显示Ignaz-Taschner-Gymnasium取消课程概览
- ASP学生信息档案管理系统毕业设计及完整源码
- Java商城源码解析:酒店管理系统快速开发指南
- 构建可解析文本框:.NET 3.5中实现文本解析与验证
- Java语言打造任天堂红白机模拟器—nes4j解析
- 基于Hadoop和Hive的网络流量分析工具介绍
- Unity实现帝国象棋:从游戏到复刻
- WordPress文档嵌入插件:无需浏览器插件即可上传和显示文档
- Android开源项目精选:优秀项目篇
- 黑色设计商务酷站模板 - 网站构建新选择
- Rollup插件去除JS文件横幅:横扫许可证头
- AngularDart中Hammock服务的使用与REST API集成
- 开源AVR编程器:高效、低成本的微控制器编程解决方案
- Anya Keller 图片组合的开发部署记录
