Detecting Botnets Through Log Correlation

TL;DR

This paper presents a log correlation method that detects botnets by monitoring abnormal changes in API call logs across multiple hosts, aiming to identify coordinated malicious activities.

Contribution

It introduces a novel botnet detection technique using log file size correlation from intercepted Windows API calls to identify abnormal activity.

Findings

Effective detection of botnets through log size correlation

Identifies abnormal activity patterns across hosts

Potential for real-time botnet detection

Abstract

Botnets, which consist of thousands of compromised machines, can cause significant threats to other systems by launching Distributed Denial of Service (SSoS) attacks, keylogging, and backdoors. In response to these threats, new effective techniques are needed to detect the presence of botnets. In this paper, we have used an interception technique to monitor Windows Application Programming Interface (API) functions calls made by communication applications and store these calls with their arguments in log files. Our algorithm detects botnets based on monitoring abnormal activity by correlating the changes in log file sizes from different hosts.