Botnet has become one of the most serious threats to Internet security. According to detection location, existing approaches can be classified into two categories: host-based, and network-based. Among host-based approaches, behavior-based are more practical and effective because they can detect the specific malicious process. However, most of these approaches target on conventional single process bot. If a bot is separated into two or more processes, they will be less effective. In this paper, we propose a new evasion mechanism of bot, multiprocess mechanism. We first identify two specific features of multiprocess bot: separating C&C connection from malicious behaviors, and assigning malicious behaviors to several processes. Then we further theoretically analyze why behavior-based bot detection approaches are less effective with multiprocess bot. After that, we present two critical challenges of implementing multiprocess bot. Then we implement a single process and multiprocess bot, and use signature and behavior detection approaches to evaluate them. The results indicate that multiprocess bot can effectively decrease the detection probability compared with single process bot. Finally we propose the possible multiprocess bot architectures and extension rules, and expect they can cover most situations.
展开▼