In recent years, it has become increasingly difficult to detect malicious activity carried on networks. The sophistication of intrusions has increased substantially, as entities with greater resources, such as organized crime and state actors, have directed resources towards developing new modes of attacking networks.
One pernicious type of intrusion pertains to the situation when an outside entity takes control of a host at a given company or organization (e.g. a computer within a company's network). When this happens, the host can be controlled and used as a source of attacks against other targets inside and outside of the company's network. What makes this situation particularly difficult to identify is that the attacks may not be directed at targets actually owned by the same company that owns the host, but instead may be directed to targets that are outside of the company or organization.
For instance, one type of control that is commonly implemented among those with malicious intent in the digital world, occurs through use of a centralized controller, referred to as a “bot herder”, that exerts control over a number of infected hosts, collectively called a “botnet”, where each infected host is called a “bot”. One of the factors that makes botnet activity difficult to detect is the lack of effect or disturbance attributable to each bot. For instance, a bot herder in control of 10,000 bots may direct one bot to click ads on a given website as part of a click-fraud scheme. Or in other situations the bots may be directed to contact the same target server at the same point in time as part of a distributed-denial-of-service (DDoS) attack. Although potentially harmful in full, in singular cases each bot's activity (e.g. clicking on ads, accessing a website) appears innocuous to the security systems inside the networks in which they reside. As such, the bot activity blends in with normal network traffic and renders conventional security systems ineffective.
As is evident, there is a great need for approaches that effectively and efficiently identify scenarios where an outside entity takes control of a host, e.g., botnet attacks.