Links

This site is hosted by
ATN-Networks

Recommended
Ruth Malan
Bredemeyer Consulting
Gaudi site
Byelex

Misc

Network based infection detection

A few days back, I attended a presentation of Prof. Dr. Nasir Memon of the Polytechnic University in Brooklyn, New York. The talk was about a new system that the university developed for detecting computers infected with malware.

Malicious software is normally detected and prevented using virus scanners, IDS systems, firewalls, etc. The problem with this is, that most systems use so-called signatures. Since malicious software nowadays gets stealthier every day, signature systems miss about 80% of the attacks. Professor Memon's team tried a different approach.

The approach is to focus on what happens on the network after systems get infected. Instead of checking the possible infected hosts (which can give incorrect information anyway if a rootkit is installed), the network traffic is analysed. Therefore, at several detection points in the network, so-called SynApps are placed. These applications receive all data from the network (for instance using a span-port of a core switch).

Because very much data is sent in a typical network, the data itself is not stored. Instead, the data (payload) in the network packets is hashed, and the hash is stored. Also some additional information of the network packets is stored, like the source and destination, the time, and the type of data (several techniques are used to find out if the data is for instance an MP3 stream of a video broadcast).

This way a compression of information of 1:50 is reached. This makes it possible to keep the data for a long time (weeks). Of course, the original data can not be restored from that, but it is possible to check if data is sent more than once, or sent around by a relaying system. This is done by checking if the hashed data is already in the database. Storing the data is done using Bloom filters, which makes it very efficient to query the data and to find patterns.

Patterns are for instance:

Systems that are slowed down.
Systems that reboot frequently.
Relays that send incoming data to other systems.
Systems that send data to IP addresses, that were never answered by the DNS system.
etc.

These patterns can be combined in such a way that a top 10 of suspicious systems can be presented by the system.

Data is kept for some weeks. This makes it possible to identify if a newly discovered exploit already infected some systems in the last weeks, and fix those systems.

The type of malicious software that can be detected this way are:

botnets;
spyware;
trojans;
rootkits;
viruses, worms.

Professor Memon is searching for companies that are willing to install the system. His university can learn from it, and companies will gain a good malware detection system. Maybe something to consider for your company?

No comments:

About Sjaak Laan

I am 45 years old and married with Angelina. We have 3 children of 12, 7 and 5 years old. We live in The Netherlands, in a place called Drachten

I work for Logica as Principal IT Architect. I have 20 years IT experience.

I own the following certificates:

ITAC Master Certified IT Architect

CISSP_logo CISSP (Certified Information Systems Security Professional)

TOGAF8_Certified_web TOGAF Certified Architect

I am a member of the:

Dutch Architecture community (GIA)
The Association of Open Group Enterprise Architects
Dutch Computable forum
Ducth Platform for Information Security (PvIB)

I manage my business contacts using Linkedin.

I can be reached through sjaak.laan [ a t ] gmail [dot] com.

This site states my opinion only, and not nessecarily the opinion of my employer or of the clients I work for.

SjaakLaan.com