A computer detects malicious intrusions (or bots) into a computer. The computer receives firewall log data that includes communication records containing the source and destination of the communication, as well as, the time of the communication. The source or destination of the communication may be on a list of suspicious servers known to contain malicious software. The computer identifies a sequence of communications between a common source address and a common destination address. The computer further identifies substantially fixed intervals between the communications, and generates an alert indicating a suspected bot intrusion. The computer also identifies from the sequence of communication, patterns in the communication intervals, similarly generating an alert indicating a suspected bot intrusion.