Document Type

Technical Report

Publication Date



Malware (Computer software) -- Prevention, Algorithms, Computer networks -- Security measures


We present an algorithm for detecting IRC-like chat networks that does not rely on Layer 7 payload information. The goal is to extract only those meshes from conventional flows where long-term periodic data is being exchanged between an external server and multiple internal clients. Flow data is passed through a series of filters that reduce the memory requirements needed for final candidate mesh sorting. Final outputs consist of two sorted lists including the fanout list, sorted by the number of client hosts in the mesh, and a secondary list called the evil sort. The latter consists of meshes with any host with a high TCP work weight1 [3] indicating significant counts of scanning hosts. We are currently able to discover SSL-encoded IRC meshes as well as other chatlike meshes including MSN chat. Therefore we believe that the new algorithm will prove useful in detecting botnet meshes encrypted at Layer 7.


Portland State University Computer Science Department Technical Report #09-01, 2009.

Persistent Identifier