Discovery of IP addresses of nodes in a botnet

摘要

A method of discovering suspect Internet Protocol (IP) addresses comprises, at each of a multiplicity of clients, monitoring for malware and, on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame. Each client sends the list of IP addresses to a central server and receives in return a blacklist of suspect IP addresses to allow the client computers to block connections with IP addresses within the blacklist. The client may filter out IP addresses to which trivial connections were made prior to sending the list. The sever removes safe IP addresses and adds the remaining addresses to a database. The suspect IP addresses may relate to nodes within a botnet. The invention works in conjunction with existing antivirus software and the crowd sourcing method is made possible because antivirus software providers typically have a large subscriber base.