BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. Rather, BotHunter takes a different approach. It is an entirely new network defense algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program (http://www.cyber-ta.org), by the Computer Science Laboratory at SRI International.
BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection lifecycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection. In short, BotHunter helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.
Dialog correlation attempts to produce classification events for certain network traffic exchanges that are produced and received by your computers. While not all network traffic exchanges produce a dialog event, those that do contribute to an evidence trail that may lead to a malware infection diagnosis report for the associated computer. Dialog events are fed directly into a separate dialog correlation engine, where each host's individual dialog production pattern is mapped and scored against an abstract malware infection life cycle model. When the dialog correlation algorithm determines that a host's dialog production patterns maps sufficiently close to the life cycle mode, the host is declared infected, and an infection profile is generated to summarize all evidence regarding the infection. See our Samples Page, for examples of infection profiles produced from a wide variety of Internet malware.
BotHunter is funded through the Cyber-Threat Analytics research grant from the U.S. Army Research Office, and is free to all end users to help you combat malware infections. In addition, BotHunter includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware-related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.
http://www.bothunter.net
