Effective Bot Host Detection Based on Network Failure Models
In this paper, the authors propose an effective solution to detect bot hosts within a monitored local network. Based on their observations, a bot often has a differentiable failure pattern because of the botnet-distributed design and implementation. Hence, by monitoring failures generated by a single host for a short period, it is possible to determine whether the host is a bot or not by using a well-trained model. The proposed solution does not rely on aggregated network information, and therefore, works independent of network size. Their experiments show that the failure patterns among normal traffic, peer-to-peer traffic, and botnet traffic can be classified accurately.