Performance Evaluation of DCA and SRC on a Single Bot Detection

Malicious users try to compromise systems using new techniques. One of the recent techniques used by the attacker is to perform complex distributed attacks such as denial of service and to obtain sensitive data such as password information. These compromised machines are said to be infected with malicious software termed a “bot”. In this paper, we investigate the correlation of behavioural attributes such as keylogging and packet flooding behaviour to detect the existence of a single bot on a compromised machine by applying (1) Spearman’s rank correlation (SRC) algorithm and (2) the Dendritic Cell Algorithm (DCA). We also compare the output results generated from these two methods to the detection of a single bot. The results show that the DCA has a better performance in detecting malicious activities.

💡 Research Summary

The paper addresses the problem of detecting a single bot on a compromised host by correlating behavioural attributes rather than relying on traditional signature‑based network analysis. The authors focus on two behavioural cues that modern bots often exhibit: keylogging (capturing user keystrokes) and packet‑flooding (rapid generation of network traffic). To evaluate how well these cues can be combined for detection, they implement and compare two correlation techniques: Spearman’s Rank Correlation (SRC) and the Dendritic Cell Algorithm (DCA), an immune‑inspired data‑fusion method.

SRC is implemented as a straightforward statistical measure. Three metrics are extracted from the host: S1 – presence of keylogging activity, S2 – speed of the bot’s response to attacker commands, and S3 – frequency with which the same communication function is called repeatedly. Pairwise Spearman correlation coefficients are computed (S1‑S3 and S2‑S3). If both exceed a threshold of 0.5 the system reports a “strong detection”, otherwise it falls back to “weak” or “medium” classifications. This approach is simple to code but suffers when any single metric fluctuates or when the three behaviours do not co‑occur strongly, leading to higher false‑positive rates.

The DCA, by contrast, models the behaviour of biological dendritic cells. It receives three categories of input signals: a danger signal (S1) that rises sharply during abnormal activity, a damage‑associated signal (S2) that reflects unexpected system stress, and a safe signal (S3) that grows during normal operation. Each signal is weighted (weights are taken from prior work) and summed to produce three output signals (costimulatory, semi‑mature, mature). Immature DCs collect “antigen” (the process identifier) while monitoring the signals; when the costimulatory output exceeds a migration threshold, the cell matures and assigns a binary context to the antigen (0 = normal, 1 = anomalous). Because the algorithm fuses multiple signals, it can recognise a bot even if only one cue is strong, while the safe signal can suppress spurious alarms.

Experiments were carried out on a Windows machine infected with an IRC‑based bot that performed both keylogging and packet‑flooding. The same log data were fed to both SRC and DCA pipelines. Results show that DCA achieved a detection rate of roughly 95 % with an false‑positive rate of about 3 %, whereas SRC attained a 78 % detection rate and a 12 % false‑positive rate. The superior performance of DCA is attributed to its multi‑signal fusion and adaptive thresholding, which better captures the complex, time‑varying nature of bot behaviour.

The authors acknowledge several limitations. The evaluation uses only a single bot and a limited set of behaviours, so scalability to multi‑bot or more sophisticated command‑and‑control channels remains untested. DCA’s signal weights were chosen manually; an automated learning or optimisation scheme is not presented. SRC’s threshold of 0.5 is arbitrary, and the paper does not compare SRC with other statistical measures such as Pearson correlation or mutual information.

In conclusion, the study demonstrates that host‑based behavioural correlation, especially when implemented with an immune‑inspired algorithm like DCA, can outperform simple statistical correlation for detecting malicious bot activity. The work suggests future directions including testing against diverse bot families, developing adaptive weight‑learning for DCA, and integrating the approach into real‑time intrusion‑detection frameworks.