BotHunter is a type of bot application that looks for other bots by tracking two-way communication flows between active software inside a private network and external entities. BotHunter's main purpose is to identify known or suspected malign external entities and to blunt the threats that bot infections can pose.
The term bot, short for robot, refers to a type of software program that operates as an agent for a user or another program, or that simulates human activity. On the Internet, bots search and catalog specific types of information and content. BotHunter carefully analyzes suspicious bots. Sufficient analysis may lead to methods to block or limit a bot's access to specific sites and information assets. The application is designed to ignore (or identify and manage) spiders or crawlers that work for search engines.
BotHunter focuses on the communications dialog that occurs between internal network nodes and external entities in the form of a series of data exchanges. Suspicious bots typically match a state-based infection sequence model. In its initial implementation, BotHunter uses three malware-focused network packet sensors, each of which specializes in various phases of malware infection, including inbound scanning, exploit usage, egg downloading, outbound bot coordination dialogs and outbound attack propagation.
Researcher Guofei Gu of the Georgia Institute of Technology demonstrated BotHunter at the Usenix Security Symposium in Boston, on August 7, 2007. Working with Wenke Lee from Georgia Tech and Phillip Porras, Vinod Yeneswaran and Martin Fong of the Computer Science Laboratory at SRI International, Gu was the lead author for a paper on BotHunter design, technology and characteristics entitled "BotHunter: Detecting Malware Infection Through IDS-Drive Dialog Correlation."