Anglia Ruskin Research Online (ARRO)
Browse
An analysis of pre-infection detection techniques for Botnets and other Malware.pdf (284.11 kB)

An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware

Download (284.11 kB)
conference contribution
posted on 2023-07-26, 13:37 authored by Mark Graham, Adrian Winckles
Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for malware code mutation, has limited use in zero-day protection and is a post-infection technique requiring malware to be present on a device in order to be detected. A malicious bot is a malware variant that interconnects with other bots to form a botnet. Amongst their multiple malicious uses, botnets are ideal for launching mass Distributed Denial of Services attacks against the ever increasing number of networked devices that are starting to form the Internet of Things and Smart Cities. Regardless of topology; centralised Command & Control or distributed Peer-to-Peer, bots must communicate with their commanding botmaster. This communication traffic can be used to detect malware activity in the cloud before it can evade network perimeter defences and to trace a route back to source to takedown the threat. This paper identifies the inefficiencies exhibited by signature-based detection when dealing with botnets. Total botnet eradication relies on traffic-based detection methods such as DNS record analysis, against which malware authors have multiple evasion techniques. Signature-based detection displays further inefficiencies when located within virtual environments which form the backbone of data centre infrastructures, providing malware with a new attack vector. This paper highlights a lack of techniques for detecting malicious bot activity within such environments, proposing an architecture based upon flow sampling protocols to detect botnets within virtualised environments.

History

Page range

23

Publisher

Canterbury Christ Church University

Place of publication

Canterbury, UK

ISBN

97801909067158

Conference proceeding

CFET 2014 - 7th International Conference on Cybercrime Forensics Education & Training: Conference Programme & Abstracts

Name of event

7th International Conference on Cybercrime Forensics Education and Training (CFET 2014)

Location

Canterbury, UK

Event start date

2014-07-10

Event finish date

2014-07-11

File version

  • Published version

Language

  • eng

Legacy posted date

2015-06-22

Legacy creation date

2019-05-22

Legacy Faculty/School/Department

ARCHIVED Faculty of Science & Technology (until September 2018)

Usage metrics

    ARU Outputs

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC