Date Added: Jun 2009
A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. This paper presents a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. The system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. The paper has implemented the proposed approach and demonstrates that it can extract effective detection models for a variety of different bot families.