BotHunter is a revolutionary, patented Anti-malware defense system specially designed to detect coordination-centric Malware such as Botnets, Spambots, Spyware, Trojan exfiltrators, worms, and Adware.
BotHunter is a key component of the MetaFlows Security System. You can easily install BotHunter on your own hardware to monitor 10 Mbps to 10 Gbps networks, or it can be deployed on a turn-key Metaflows security appliance. The software can be deployed on CentOS 6, as a virtual machine, or in your cloud-based assets. Activation requires registration with Metaflows (free). Register here, then download and install BotHunter using one of the links below.
BotHunter monitors your network traffic to quickly find Malware infected systems, or those that are part of a Botnet. Unlike other IDS systems, it compares IDS alerts from multiple sessions and combines them to find typical infection patterns or abusive behavior.
Traditional IDS software generates alerts by reconstructing a single session between two endpoints and finding known patterns that confirm security violations within that specific session. This usually results in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low-priority network security events.
BotHunter uses Multiple Session Correlation. This advanced correlation technique gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model. When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile is generated to summarize all evidence about the infection.
BotHunter feeds are updated weekly from the SRI Malware Threat Center and BotHunter is completely integrated into Metaflows. That means that Metaflows customers have access to cutting edge Malware protection in a context-rich environment that includes flow analysis, log management, SIEM and much more.
As you can see from the graph, running BotHunter on only one core barely breaches the 100 Mbps level, even on a very fast and modern CPU (Intel i7 950). At 250 Mbps BotHunter can only process 60% of the traffic. Using 8 cores greatly improves performance, allowing BotHunter to run at speeds exceeding 600 Mpbs on a single multi-core processor. Even higher throughput can be achieved using multiple CPUs.