Detection of Bot Infected PCs Using Destination-Based IP and Domain Whitelists During a Non-Operating Term

Spam e-mails and distributed denial of service (DDoS) attacks have now become critical issues to the Internet. These attacks are considered to be sent from bot infected PCs. As a bot communicates with a malicious controller over an encrypted channel and updates its code frequently, it becomes difficult to detect infected personal computers (PCs) using pattern-based intrusion detection systems (IDSs) and antivirus systems (AVs). As sending attack and control packets from the bot process are independent of the user operation, a behavior monitor is effective to detect an anomaly communication. In this paper, we propose a bot detection technique that checks outbound packets with destination-based whitelists. If any outbound packets during the non-operating term do not match the whitelists, the PC is considered to be infected by the bot. The whitelists are a set of a destination IP address and/or domain names (DNs) that are listed by monitoring outbound packets from an un-infected PC. Because the many IPs and DNs are grouped into a few sub-networks and superior DNs, it is easier to maintain the destination-based whitelists than the pattern-based IDS/AV. We implement the proposal system as a host-based detector and evaluate false negative (FN) and false positive (FP) frequencies for detection of bot activities.