Detecting bots based on key logging activities

Yousof Al-Hammadi, Uwe Aickelin

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

24 Scopus citations

Abstract

A bot is a piece of software that is usually installed on an infected machine without the user's knowledge. A bot is controlled remotely by the attacker under a Command and Control structure. Recent statistics show that bots represent one of the fastest growing threats to our network by performing malicious activities such as email spamming or keylogging. However, few bot detection techniques have been developed to date. In this paper, we investigate a behavioural algorithm to detect a single bot that uses keylogging activity. Our approach involves the use of function calls analysis for the detection of the bot with a keylogging component. Correlation of the frequency of function calls made by the bot with other system signals during a specified time-window is performed to enhance the detection scheme. We perform a range of experiments with the spybot. Our results show that there is a high correlation between some function calls executed by this bot which indicates abnormal activity in our system.

Original languageBritish English
Title of host publicationARES 2008 - 3rd International Conference on Availability, Security, and Reliability, Proceedings
Pages896-902
Number of pages7
DOIs
StatePublished - 2008
Event3rd International Conference on Availability, Security, and Reliability, ARES 2008 - Barcelona, Spain
Duration: 4 Mar 20087 Mar 2008

Publication series

NameARES 2008 - 3rd International Conference on Availability, Security, and Reliability, Proceedings

Conference

Conference3rd International Conference on Availability, Security, and Reliability, ARES 2008
Country/TerritorySpain
CityBarcelona
Period4/03/087/03/08

Keywords

  • API function calls
  • Bot
  • Correlation
  • IRC

Fingerprint

Dive into the research topics of 'Detecting bots based on key logging activities'. Together they form a unique fingerprint.

Cite this