Catching modern botnets using active integrated evidential reasoning

Journal of Internet Services and Applications

Table 1 An example of evidence-symptom-action casuality

Category	Evidence	Symptom	Action
E₁(I&A)	e₁₁(S c a n n i n g)	s₁(high TCP failure rate)	a₁ (snort)
	e₁₁(S c a n n i n g)	s₂(fast varying dest ports)	a₂ (argus)
	e₁₂(S p a m m i n g)	s₃(high volume TCP/25)	a₃ (NetFlow)
	e₁₂(S p a m m i n g)	s₄(multi DNS MX queries)	a₄ (DNS log)
		s₅(multi SMTP dest)	a₅ (snort)
E₂(C&C)	e₂₁(P 2P)	s₁(high TCP failure rate)	a₁ (snort)
E₂(C&C)	e₂₁(P 2P)	s₆(high In-and-Out degree)	a₆ (Script 1)
		s₇(high Max Degree Ratio)	a₇ (Script 2)