Several studies have estimated that millions of computers worldwide are infected by malware and have become bots that are controlled by cyber criminals, forming so-called botnets. The infected computers forming these botnets are coordinated and used by the attackers to launch diverse malicious and illegal network activities, including perpetrating identity theft, sending an estimated 100 billion spam messages every day, launching denial of service (DoS) attacks, committing click fraud, etc. The victim's computing experience also suffers as the computing cycles wasted on bot-induced (i.e, computer generated) events and activities typically slow down the performance of the machine.
The task of botnet detection is two-fold: (1) to identify individual infected computers, also called zombies, and to clean the infection, and (2) to identify and prosecute the mastermind who controls the botnet. End-user systems and methods typically focus upon the first task, as the second task usually involves law enforcement measures beyond a technical scope. Determining whether a personal computer (PC) managed by an average Internet user is infected or not can be very challenging. Malicious bots are stealthy and difficult to detect using conventional anti-virus software. Some bots even disable the anti-virus software immediately after they successfully infect a machine. A good description of botnet structures is disclosed, for example, in a paper by D. Dagon, G. Gu, C. P. Lee, and W. Lee, “A taxonomy of botnet structures,” in ACSAC, pages 325-339, IEEE Computer Society, 2007. An overwhelming majority of personal computer users lack the technical expertise to combat bot infection on their own, highlighting the importance of botnet detection solutions.
Most existing botnet detection solutions focus on analyzing the network traffic of potentially infected machines to identify suspicious network communication patterns. In particular, the traces of botnets' command and control (C&C) messages, i.e., how bots communicate with their botmasters (also known as botherders), are captured and their signatures are analyzed. For example, a host may be infected if it periodically contacts a server via Internet Relay Chat (IRC) protocol and sends a large number of emails afterwards. Network trace analysis is a significant aspect of identifying malicious bots. These solutions usually involve complex and sophisticated pattern analysis techniques, and have been demonstrated to produce good false positive and false negative rates. They can be deployed by local Internet Service Providers (ISPs) to monitor and screen a large number of hosts as part of a network intrusion-detection system.
Botnets are, however, entities that are constantly evolving to avoid detection, and their behaviors change accordingly. For example, although IRC is still the dominating botnet command and control protocol, recent studies have found that many botmasters are responding to detection systems by switching away from IRC to HTTP, as HTTP traffic is usually allowed through firewalls and can be easily camouflaged (to be used for covert channels). The majority of the current botnet detection solutions focus on using the characteristic behaviors of bots to identify malicious activities. Thus, changes in bot patterns require constant improvements in the detection methods; sole reliance on following and leveraging bots' behaviors for detection is relatively reactive and may require constant modifications in order to keep up with the newest development of botnets.
Accordingly, there is an immediate need for improved systems and methods that are capable of detecting botnet malware on a host computer.