|Description||Use Tiered Bot Detection Approach:ISPs should use a tiered approach to botnet detection that first applies behavioral characteristics of user traffic (cast a wide net), and then applies more granular techniques (e.g., signature detection) to traffic flagged as a potential problem.|
|Industry Role(s)||Service Provider|
|Keyword(s)||Cyber Security;Intrusion Detection;|
|Reference/Comments||This technique should help minimize the exposure of customer information in detecting bots by not collecting detailed information until it is reasonable to believe the customer is infected.
Looking at user traffic using a wide net approach can include external feedback as well as other internal approaches.
Note that the Best Practices in this grouping are primarily aimed at ISPs that provide service to consumer end-users on residential broadband networks, but may be applicable to other users and networks as well.