ABSTRACT
Social botnets have several inherent advantages that enable them to evade common botnet detection approaches. When a social bot is in a malware-analysis environment, it may not be able to fetch commands from its botmaster as usual. Analysis results are highly influenced by the behavior of the botmaster because most social bots that can be used for analysis have been published and their botmasters may have been shut down. The detection of social botnets is an arms race—social botnets continuously evolve to evade new detection features. Moreover, many advanced social bots do not perform malicious activities until they have monitored human activities. Therefore, malicious activities are deliberately mixed with benign human activities. The task of host-based botnet detection is to identify the malicious event or the malicious process running on the host.
