Botnet Analytics Appliance (BNA)

Recent reports indicate the activity of more than 6,000 botnet C and C servers. 70 million zombies are responsible for 80 percent of SPAM. Given the exponential growth of the botnet threat, the security of our nation s cyber infrastructure demand automated botnet activity monitoring solutions.

In Phase I, Milcord developed a feasibility prototype of a Bayesian Activity Monitor for Botnet Defense. We developed: indicators for measuring botnet behavior, mechanisms for capturing and analyzing packet content to detect bot commands, blacklist interfaces, and a set of Belief Networks that fuse network indicators, DNS data, and bot commands in order to detect and classify botnet behavior. Our results have in general shown the feasibility of learning and predicting botnet behavior at the network level, and blacklist membership in DNS queries.

In Phase II, we propose to develop a full-scale prototype of a Botnet Analytics Appliance, BNA, that leverages botnet intelligence contextual knowledge and integrates with Security Event Management platforms, and transition this technology to commercialize use. The development of our Phase II prototype will not only leverage contextual knowledge obtained from real-time aggregated botnet intelligence data and cybersecurity infrastructures but also contribute to the botnet community knowledge base enhancing DHS cyber security mission.