Detecting Botnets Using Hidden Markov Models on Network Traces

One of the most prevalent problems in modern internet security is the botnet – large numbers of computers running the same malicious, self-propagating program without their users' knowledge. Bot programs communicate with their (human) botmaster, who can command them to stage distributed denial of service attacks, send spam, commit click fraud, send back user passwords, or any number of other illicit actions [1, 6, 10, 11, 14]. The analysis of bots and botnets is still a relatively new field. One may observe that if most of the bots in a botnet can be identified, and if the necessary communication with the botmaster can be blocked, the botnet loses its power [6]. This paper presents a new approach of identifying botnets using data from captured network packets by modeling the network with a Hidden Markov Model (HMM) and then comparing HMMs generated this way to detect covert coordination between computers.