Detecting Bots Based on Keylogging Activities

Author

Al-Hammadi, Yousof ; Aickelin, Uwe

Author_Institution

Yousof Al-Hammadi & Uwe Aickelin Dept. of Comput. Sci. & Inf. Technol., Univ. of Nottingham, Nottingham

fYear

2008

Firstpage

896

Lastpage

902

Abstract

A bot is a piece of software that is usually installed on an infected machine without the user´s knowledge. A bot is controlled remotely by the attacker under a Command and Control structure. Recent statistics show that bots represent one of the fastest growing threats to our network by performing malicious activities such as email spamming or keylogging. However, few bot detection techniques have been developed to date. In this paper, we investigate a behavioural algorithm to detect a single bot that uses keylogging activity. Our approach involves the use of function calls analysis for the detection of the bot with a keylogging component. Correlation of the frequency of function calls made by the bot with other system signals during a specified time-window is performed to enhance the detection scheme. We perform a range of experiments with the spybot. Our results show that there is a high correlation between some function calls executed by this bot which indicates abnormal activity in our system.

Keywords

invasive software; behavioural algorithm; bot detection techniques; command and control structure; key logging activities; malicious activities; Availability; Command and control systems; Communication system control; Computer science; Computer security; Frequency; Information security; Information technology; Mice; Protocols; API function calls; Bot; Correlation; IRC;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security, 2008. ARES 08. Third International Conference on

Conference_Location

Barcelona

Print_ISBN

978-0-7695-3102-1

Type

conf

DOI

10.1109/ARES.2008.58

Filename

4529439