摘要 |
A method and apparatus for detecting compromised host computers (e.g., Bots) are disclosed. For example, the method identifies a plurality of suspicious hosts (102). Once identified, the method analyzes network traffic of the plurality suspicious hosts to identify a plurality of suspicious hub-servers. The method then classifies the plurality of candidate Bots into at least one group. The method then identifies members of each of the at least one group that are connected to a same controller (118) from the plurality suspicious controllers, where the members are identified to be part of a Botnet. |