Regardless of how malware enters your network (through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network), once a machine within your perimeter is compromised your whole network is under threat.  BotHunter helps you quickly identify and isolate these infected machines, and helps you figure out who really owns your computers.

What is BotHunter

BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.  These tools generally don't work in helping you rid your network of malware infections. Rather, BotHunter takes a different approach. It is an entirely new network defense  algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware).   It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program (, by the Computer Science Laboratory at SRI International.  

BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet.  It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection.   BotHunter employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process.   Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection lifecycle model.  When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.  In short, BotHunter helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.   

Dialog correlation is an algorithm that classifies each network traffic exchange that occurs across your network boundary as potential infection sequence steps that occur when a host is infected with malware.   Not all network traffic events generate a dialog event.  Dialog events are fed directly into a separate dialog correlation engine, where each host's individual dialog production pattern are mapped and scored against an abstract malware infection life cycle model.  When the dialog correlation algorithm determines that a host's dialog production patterns maps sufficiently close to the life cycle mode, the host is declared infected, and an infection profile is generated to summarize all evidence regarding the infection.

BotHunter is funded through the Cyber-Threat Analytics research grant from the U.S. Army Research Office, and is free to all end users to help you combat malware infections.  In addition, BotHunter includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware-related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.

Conceptual Overview

Distinguishing a successful malware infection from the vantage point of the network egress position requires a command of the two-way dialog flow that occurs between a network's internal hosts and the Internet. While many malware infections start with an initial external-to-internal infection, malware may use a wide range of options to infect a host, including indirect host infections through email, direct exploit-based infection, or drive-by infections that are launched from malicious network servers.  Furthermore, with the growth in popularity and capability of mobile laptops, direct infection of an internal asset need not necessarily take place behind a well-administered network. Malware may inject itself into a host opportunistically from any Internet access point the hosts happens to associate, or may be executed voluntarily by a victim who inadvertently accesses a Trojan binary, multimedia file, or other infected transmission source. Regardless of how malware enters a host, once established inside the network perimeter the challenge remains to identify the infected machine and remove it from service as quickly as possible.

Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim.  Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts.  IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is well documented.  However, being able to distinguish a successful local host infection from the daily myriad of scans and intrusion attempts is as critical a task as any facet of network defense.

How BotHunter Analyzes Network Flows

BotHunter models an infection sequence as a composition of participants and a loosely ordered sequence of network dialog exchanges:

Infection I = <A, V, E, C, P, V', {D}>

where A = attacker, V = victim, E = egg download location, C = C&C server, P = peer-to-peer coordination points, and V' = the victim's next propagation targets.  {D} represents a set of dialog sequences composed of bidirectional flows that cross the egress boundary. 

BotHunter's current infection dialog set {D} provides the following detection coverage  for your network:

BotHunter's Infection Life Cycle Model

BotHunter's malware propagation model is primarily driven by an assessment of outward-bound communication flows that are indicative of behavior associated with malware coordination.  Where possible, we seek to associate such outbound communication patterns with observed inbound intrusion activity.  However, this latter activity is not a requirement for infection declaration.   Neither are incoming scans and exploit alarms sufficient to declare a successful malware infection, as we assume that a constant stream of scan and exploit signals will be observed from the egress monitor.

Figure 1 illustrates BotHunter's malware infection dialog model used for assessing bidirectional flows across the network boundary. BotHunter incorporate initial scan detection and exploit usage, including web-based client-side infections.  Host infection is then followed by malware binary downloading, installation, and coordination (in the case of botnets, spyware, and adware infections).  Next, BotHunter's infection dialog model proceeds with infection propagation, which includes activity such as scanning, exploit usage, spam propagation, and attack preparation.  Finally, BotHunter recognizes malware infections when systems are observed attempting to connect to known C&C servers or other address space highly associated with malicious software control (e.g., Russian Business Network address space).
Figure 1:  BotHunter's Infection Life Cycle Model

Figure 1 is not intended to provide a strict order of events, but rather captures well-established infection dialog patterns observed among a wide variety of malware strains.  We assume that bot dialog sequence analysis must be robust to the absence of some dialog events, must comprehend multiple contributing candidates for each of the various dialog phases, and must not require strict sequencing in the order in which outbound dialog is conducted.  BotHunter employs a weighted event threshold system, which captures the minimum necessary and sufficient sparse sequences of events under which an infection declaration can be triggered.   BotHunter infection profiles include an overall infection confidence score, which will range from 0.8 to 3.8.  The higher the score, the greater the dialog evidence trail that was used to produce the infection profile.

BotHunter is capable of declaring a host infected when either of three dialog sequence combinations is observed:

       Condition 1: Evidence of a local host infection, and evidence of outward malware coordination or attack
                              propagation, or

       Condition 2: At least two distinct signs of outward bot coordination, attack propagation, or attacker preparation
                              sequences are observed.

       Condition 3:  Evidence that a local host has attempted to establish communication with a confirmed malware control
                               host or drop site.


About BotHunter