Many of today's business and consumer applications rely on communications infrastructures such as the Internet. Businesses and consumers need to provide protection to their computer systems from hostile activities, e.g., denial of service attacks, spam, etc., while being able to communicate with others via the infrastructure. However, attacks by a network of compromised host computers (a Botnet) are often disguised as legitimate activity. For example, an attacker may use a large number of broadband connected home computers as Botnets along with Internet chat servers as controllers, in order to hide the activity behind legitimate Internet chat sessions. Detection of these Botnets requires collection and analysis of massive amount of packet traffic at the application layer. The required computation is difficult if not prohibitive.
Therefore, there is a need for a method and apparatus that enable network service providers to detect one or more networks of compromised host computers (Botnets).