An analysis of pre-infection detection techniques for Botnets and other Malware.pdf (284.11 kB)
An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware
conference contribution
posted on 2023-07-26, 13:37 authored by Mark Graham, Adrian WincklesTraditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for malware code mutation, has limited use in zero-day protection and is a post-infection technique requiring malware to be present on a device in order to be detected.
A malicious bot is a malware variant that interconnects with other bots to form a botnet. Amongst their multiple malicious uses, botnets are ideal for launching mass Distributed Denial of Services attacks against the ever increasing number of networked devices that are starting to form the Internet of Things and Smart Cities. Regardless of topology; centralised Command & Control or distributed Peer-to-Peer, bots must communicate with their commanding botmaster. This communication traffic can be used to detect malware activity in the cloud before it can evade network perimeter defences and to trace a route back to source to takedown the threat.
This paper identifies the inefficiencies exhibited by signature-based detection when dealing with botnets. Total botnet eradication relies on traffic-based detection methods such as DNS record analysis, against which malware authors have multiple evasion techniques. Signature-based detection displays further inefficiencies when located within virtual environments which form the backbone of data centre infrastructures, providing malware with a new attack vector. This paper highlights a lack of techniques for detecting malicious bot activity within such environments, proposing an architecture based upon flow sampling protocols to detect botnets within virtualised environments.
History
Page range
23Publisher
Canterbury Christ Church UniversityPlace of publication
Canterbury, UKISBN
97801909067158Conference proceeding
CFET 2014 - 7th International Conference on Cybercrime Forensics Education & Training: Conference Programme & AbstractsName of event
7th International Conference on Cybercrime Forensics Education and Training (CFET 2014)Location
Canterbury, UKEvent start date
2014-07-10Event finish date
2014-07-11File version
- Published version
Language
- eng
Legacy posted date
2015-06-22Legacy creation date
2019-05-22Legacy Faculty/School/Department
ARCHIVED Faculty of Science & Technology (until September 2018)Usage metrics
Categories
No categories selectedLicence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC