{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T12:43:13Z","timestamp":1740141793461,"version":"3.37.3"},"reference-count":20,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2015,5,1]],"date-time":"2015-05-01T00:00:00Z","timestamp":1430438400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61170265","61472162"],"award-info":[{"award-number":["61170265","61472162"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61170265","61472162"],"award-info":[{"award-number":["61170265","61472162"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["International Journal of Distributed Sensor Networks"],"published-print":{"date-parts":[[2015,5,1]]},"abstract":"<jats:p> Host-based bot detection approaches discover malicious bot processes by signature comparison or behavior analysis. Existing approaches have low performance which has become a bottleneck blocking its wider deployment. Among the impact factors of performance, overhead is a crucial one. Many host-based bot detection approaches with high detection accuracy are not used practically because of their high overheads. For the development of host-based bot detection, unveiling the factors affecting the overhead is very significant. First, this paper classifies the typical approaches of host-based bot detection proposed in recent years by several metrics, information sources, interception mechanisms on host, intercepted system calls, trigger mechanisms, and correlation engine. Second, based on our analyses of aims and implementations of detection approaches, we identify three major factors affecting the overhead of approaches, namely, interception mechanism on host, type, and number of system calls intercepted and correlation engine. Third, we evaluate the influence of these factors via various experiments on real systems. Finally, based on the experiments, we propose several suggestions which are able to significantly decrease the overhead of host-based bot detection approaches. <\/jats:p>","DOI":"10.1155\/2015\/524627","type":"journal-article","created":{"date-parts":[[2015,5,28]],"date-time":"2015-05-28T21:06:36Z","timestamp":1432847196000},"page":"524627","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":4,"title":["Overhead Analysis and Evaluation of Approaches to Host-Based Bot Detection"],"prefix":"10.1177","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2419-6592","authenticated-orcid":false,"given":"Yuede","family":"Ji","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Jilin University, Changchun, Jilin 130012, China"},{"name":"Symbol Computation and Knowledge Engineer of Ministry of Education, Jilin University, Changchun, Jilin 130012, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7510-4718","authenticated-orcid":false,"given":"Qiang","family":"Li","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Jilin University, Changchun, Jilin 130012, China"},{"name":"Symbol Computation and Knowledge Engineer of Ministry of Education, Jilin University, Changchun, Jilin 130012, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7888-2416","authenticated-orcid":false,"given":"Yukun","family":"He","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Jilin University, Changchun, Jilin 130012, China"},{"name":"Symbol Computation and Knowledge Engineer of Ministry of Education, Jilin University, Changchun, Jilin 130012, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3049-2152","authenticated-orcid":false,"given":"Dong","family":"Guo","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Jilin University, Changchun, Jilin 130012, China"},{"name":"Symbol Computation and Knowledge Engineer of Ministry of Education, Jilin University, Changchun, Jilin 130012, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2015,5,28]]},"reference":[{"volume-title":"Correlation-Based Botnet Detection in Enterprise Networks","year":"2008","author":"Gu G.","key":"B20-2015-524627"},{"key":"B30-2015-524627","doi-asserted-by":"publisher","DOI":"10.1109\/compsac.2010.33"},{"key":"B29-2015-524627","doi-asserted-by":"publisher","DOI":"10.1109\/acsac.2009.37"},{"key":"B35-2015-524627","doi-asserted-by":"publisher","DOI":"10.1109\/dsn.2010.5544306"},{"key":"B24-2015-524627","doi-asserted-by":"publisher","DOI":"10.1109\/icdm.2011.104"},{"key":"B33-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-18178-8_15"},{"key":"B25-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11534-9_16"},{"key":"B32-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73614-1_6"},{"key":"B26-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-85886-7_7"},{"key":"B27-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_5"},{"volume-title":"Problem-Solving Methods in Artificial Intelligence","year":"1971","author":"Nilsson N. J.","key":"B28-2015-524627"},{"first-page":"351","volume-title":"Proceedings of the 18th Conference on USENIX Security Symposium","author":"Kolbitsch C.","key":"B23-2015-524627"},{"key":"B15-2015-524627","doi-asserted-by":"crossref","unstructured":"Al-Hammadi Y. A. A.Behavioural correlation for malicious bot detection [Ph.D. thesis]2010University of Nottingham","DOI":"10.2139\/ssrn.2829290"},{"key":"B19-2015-524627","doi-asserted-by":"publisher","DOI":"10.1007\/s12065-008-0008-6"},{"volume-title":"Artificial Immune Systems: A New Computational Intelligence Approach","year":"2002","author":"De Castro L. N.","key":"B18-2015-524627"},{"volume-title":"Proceedings of the USENIX Security Symposium","author":"Jacob G.","key":"B22-2015-524627"},{"key":"B31-2015-524627","doi-asserted-by":"publisher","DOI":"10.1109\/infcom.2012.6195713"},{"key":"B34-2015-524627","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382257"},{"volume-title":"Proceedings of the 3rd Conference on USENIX Windows NT Symposium","author":"Hunt G.","key":"B21-2015-524627"},{"key":"B17-2015-524627","volume-title":"Introduction to Algorithms","author":"Cormen T. H.","year":"2001","edition":"2"}],"container-title":["International Journal of Distributed Sensor Networks"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/journals.sagepub.com\/doi\/pdf\/10.1155\/2015\/524627","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/journals.sagepub.com\/doi\/full-xml\/10.1155\/2015\/524627","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/journals.sagepub.com\/doi\/pdf\/10.1155\/2015\/524627","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,5,5]],"date-time":"2021-05-05T21:48:03Z","timestamp":1620251283000},"score":1,"resource":{"primary":{"URL":"http:\/\/journals.sagepub.com\/doi\/10.1155\/2015\/524627"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,5,1]]},"references-count":20,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2015,5,1]]}},"alternative-id":["10.1155\/2015\/524627"],"URL":"https:\/\/doi.org\/10.1155\/2015\/524627","relation":{},"ISSN":["1550-1477","1550-1477"],"issn-type":[{"type":"print","value":"1550-1477"},{"type":"electronic","value":"1550-1477"}],"subject":[],"published":{"date-parts":[[2015,5,1]]}}}