The botnet is one of the most serious threats in system and network security in recent years. Governed by botmaster, vulnerable servers or routers are attacked, infected, and become part of the botnet afterwards to execute malicious commands such as distributing spams, phishing or DDoS attacks. Often botnet is characterized by its distributed manner. Therefore the intrusion detectors built on only single machine or router is usually not powerful enough to detect the botnet effectively.

Based on this understanding, we build a framework which considers the spatial relationship between servers or routers to detect the existence of botnet and its scale. Also, to consider the relationship in the temporal domain will tell us the speed of the botnet infection. As a whole, based on a segmentation technique with both of the spatial and temporal considerations, we can detect the botnet, its source, its size and its infection pattern. We would like to propose a spatio-temporal Markov model for the botnet detection. Also, due to the common problem of slow convergence in the large-scale Markov model, we shall consider an integrated framework to speed up the convergence. The integrated framework is based on a from-simple-to-complex modeling process.

The project is a two-year project. The first year is devoted to building the system for the data collection. Some typical botnets will be studied and their infection pattern will be used to training our model. We would also study the convergence theory for the iterative algorithm worked on Markov models, considered as loopy graphs. The second year will focus on applying our model to real environment. Different network environment may provide different service and have various behaviors. We would like to make our model an adaptive one so that our botnet detection can be worked on different network environment.