BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Botnet has become one of the most serious threats to Internet security. Compared with network-based bot detection approaches, host-based approaches can discover more insights of unknown bots, and we may completely eliminate bots if we can successfully detect them on end-host. Host-based approaches mainly include signature and behavior-based detection approaches. In this paper we propose a behavior and signature correlated bot detection approach, BotCatch. Firstly, we present the design of BotCatch. There are four components in BotCatch: analysis engine, signature analysis engine, behavior analysis engine, and correlation engine. The analysis engine assigns the suspicious sample to signature analysis engine and behavior analysis engine. These two engines analyze the sample and generate signature and behavior analysis result. Then correlation engine correlates these two analysis results to generate the final detection result. There is also a feedback mechanism which presents the correlation result to behavior analysis engine to guide its learning procedure. Secondly, we analyze the effectiveness of our correlation approach compared with signature-based and behavior-based bot detection approach. The analysis indicate that our correlation approach can effectively improve the detection accuracy. Thirdly, we evaluate our approach through experiments and the result indicate that our approach can detect bots effectively.