Catching modern botnets using active integrated evidential reasoning

Abstract

Botnets are now recognized as one of the major security threats to start various security attacks (e.g., spamming, DDoS). Although substantial research has been done towards botnet detection, it is becoming much more difficult today, especially for highly polymorphic, intelligent and stealthy modern botnets. Traditional botnet detection (e.g., signature, anomaly or flow based) approaches cannot effectively detect modern botnets. In this paper, we propose a novel active integrated evidential reasoning approach called SeeBot to detect modern botnets. SeeBot can seamlessly and incrementally combine host and network level evidences and incorporate active actions into passive evidential reasoning process to improve the efficiency and accuracy of botnet detection. Our experiments show that both performance and accuracy of botnet detection can be greatly improved by the active evidential reasoning, especially when the evidence is weak, hidden or lost. © 2013 Tang et al.; licensee Springer.