Detecting Bots Based on Keylogging Activities

TL;DR

This paper presents a behavioral detection method for identifying keylogging bots by analyzing function call patterns and their correlation over time, demonstrating high detection accuracy through experiments.

Contribution

It introduces a novel behavioral algorithm that detects keylogging bots by analyzing function call correlations, an area with limited prior research.

Findings

High correlation between specific function calls indicates bot activity.

The detection method effectively identifies keylogging bots in experimental settings.

Behavioral analysis enhances bot detection accuracy.

Abstract

A bot is a piece of software that is usually installed on an infected machine without the user's knowledge. A bot is controlled remotely by the attacker under a Command and Control structure. Recent statistics show that bots represent one of the fastest growing threats to our network by performing malicious activities such as email spamming or keylogging. However, few bot detection techniques have been developed to date. In this paper, we investigate a behavioural algorithm to detect a single bot that uses keylogging activity. Our approach involves the use of function calls analysis for the detection of the bot with a keylogging component. Correlation of the frequency of a specified time-window is performed to enhance he detection scheme. We perform a range of experiments with the spybot. Our results show that there is a high correlation between some function calls executed by this bot which indicates abnormal activity in our system.