A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bot-infected machines, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.

As the popularity of the Internet increases, so does the number of miscreants who abuse the net for their nefarious purposes. A popular tool of choice for criminals today are bots. A bot is a type of malware that is written with the intent of compromising and taking control of hosts on the Internet. It is typically installed on the victim’s computer by either exploiting a software vulnerability in the web browser or the operating system, or by using social engineering techniques to trick the victim into installing the bot herself. Compared to other types of malware, the distinguishing characteristic of a bot is infected machines that are combined under the control of a single, malicious entity (called the botmaster) are referred to as a botnet. Such botnets are often abused as platforms to launch denial of service attacks to send spam mails or to host scam pages.

Traditional means of defense against bots rely on antivirus (AV) software installed on end-users’ machines. Unfortunately, as the existence of numerous botnets demonstrates, these systems are insufficient. The reason is that they rely on signatures of known samples, a well-documented limitation that makes it difficult to keep up with the fast evolution of malware. To mitigate this limitation, a number of host-based defense systems have been introduced. These systems use static or dynamic code analysis techniques to capture the behaviour of unknown programs. By comparing the observed behaviour to a model that specifies characteristics of certain types of malware, previously unknown instances of malicious code can be identified. However, although useful, these systems are problematic in practice, as they incur a consider- able runtime overhead and require each user to install the analysis platform.