| CPC H04L 63/1416 (2013.01) | 16 Claims |
|
1. A method for detecting botnets, comprising: monitoring a network traffic to collect network data for
a device, wherein the network traffic is directed to at least one honeypot of a plurality of honeypots, wherein the plurality of honeypots are segregated from protected entities;
mapping the device to members of at least one stored group of botnet devices, wherein the mapping matches a network data of the device to network data of the members of the at least one stored group of botnet devices;
determining the mapped device as a botnet device of an associated botnet upon matching the network data of the device to a network data of a member of the associated botnet, wherein the associated botnet is the at least one stored botnet, wherein the network data includes an estimated startup time of the member;
discovering members of at least one stored group of botnet devices by analyzing respective estimated startup times of the discovered members; and
logging the network data of the mapped device as being part of the associated botnet of the at least one stored grouped set of botnet devices;
and triggering execution of a mitigation action on the associated botnet in response to determination that the number of members of the grouped set of botnet devices exceed a predefined proportion of a total number of expected members of the botnet.
|