We propose a generic bot detection system for an endpoint host. Classifies destinations contacted by the host as benign or malicious by examining the traffic generated by the host. The system is based on the assumption that user activity on an endpoint host occurs at random times and therefore traffic generated due to user activity, which we call user-induced traffic, exhibits random behavior. Bots' C&C traffic, on the other hand, is programmed at the time of its coding or configuration and is expected to exhibit regularity in behavior. This difference is that the behavior is captured using three features extracted from the traffic: time interval between flows to a destination, number of packets in flows to a destination, number of bytes in flows to a destination. A flow is a set of packets that share the same flow ID (source IP, source port, destination IP, destination port, protocol). Feature entropy is used to model the behavior of both the bot and user-induced traffic. We perform an initial characterization of both traffic classes and derive a set of fuzzy rules to describe their behavior. Fuzziness is introduced to describe the difference in traffic behavior in terms of natural language. The following sections describe the system in detail. Traffic Characterization From a literature review, we found that there are only a few works [34-38] that analyze bot behavior. From these works we understand that the only invariant in the bot's behavior is its communication with the C&C server. So the C&C bot is the weak link of the bot through which we can detect its presence. From bot analysis works, we were able to conclude that bots periodically communicate with their masters to obtain commands, report status, publish sto...... middle of paper ......sis using l 'conditional code obfuscation,' in Symposium on Network and Distributed Systems Security (NDSS), 2008.[19] isi.deterlab.net[20] Huijun Xiong, Prateek Malhotra, Deian Stefan, Chehai Wu, and Danfeng Yao, Detection user-assisted host-based outbound malware traffic, Information and Communications Security, Computer Science Lecture Notes, 2009.[21] Takemori, K.., Nishigaki, M., Takami, T., Miyake, Y ., Detection of Bot Infected PCs using Destination-based IP and Domain Whitelists during a non-operational period, IEEE Global Telecommunications Conference, 2008. [22 ] Jacob, Gregoire et al. “Jackstraws: command and control connection selection from bot traffic ." USENIX Security Symposium. 2011.[23] Giroire, Frederic et al. “Exploiting Temporal Persistence to Detect Hidden Botnet Channels.” Recent advances in intrusion detection. Springer Berlin/Heidelberg, 2009.