Detecting Response-Delayed Bot by Correlating Host Behavior and Network Activity

Botnet has become a serious threat to network security.A new generation of bot adopts evasion techniques to evade the detection of antivirus software.Response-delayed bot can evade the detection of existing correlation approaches through waiting for a random time between host behavior and network activity.We propose a novel correlation detection approach to detect this kind of bot.We utilize sliding time window iterative algorithm to solve the problem that host behavior and network activity of this kind of bot may be performed in different time windows, which proves to improve the detection accuracy.We utilize recommendation algorithm to correlate host behavior and network activity to solve the problem that host-based detection approaches need global deployment,which improves the robustness and detection accuracy.We analyze the influence of sliding time window size and host detection tools deployment rate on detection accuracy. Experiment results indicate that our approach can detect response-delayed bot effectively.When the deployment rate of host detection tools reaches 80%,including hosts without detection tools, the total detection accuracy rate reaches 88%.