An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware

Graham, Mark and Winckles, Adrian (2014) An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware. In: 7th International Conference on Cybercrime Forensics Education and Training (CFET 2014), Canterbury Christ Church University, UK.

Published Version
Available under the following license: Creative Commons Attribution Non-commercial No Derivatives.

Download (290kB) | Preview


Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for malware code mutation, has limited use in zero-day protection and is a post-infection technique requiring malware to be present on a device in order to be detected. A malicious bot is a malware variant that interconnects with other bots to form a botnet. Amongst their multiple malicious uses, botnets are ideal for launching mass Distributed Denial of Services attacks against the ever increasing number of networked devices that are starting to form the Internet of Things and Smart Cities. Regardless of topology; centralised Command & Control or distributed Peer-to-Peer, bots must communicate with their commanding botmaster. This communication traffic can be used to detect malware activity in the cloud before it can evade network perimeter defences and to trace a route back to source to takedown the threat. This paper identifies the inefficiencies exhibited by signature-based detection when dealing with botnets. Total botnet eradication relies on traffic-based detection methods such as DNS record analysis, against which malware authors have multiple evasion techniques. Signature-based detection displays further inefficiencies when located within virtual environments which form the backbone of data centre infrastructures, providing malware with a new attack vector. This paper highlights a lack of techniques for detecting malicious bot activity within such environments, proposing an architecture based upon flow sampling protocols to detect botnets within virtualised environments.

Item Type: Conference or Workshop Item (Paper)
Keywords: Malware Detection Evasion, Botnet, C&C, P2P, Flow Sampling, Virtual Environment
Faculty: ARCHIVED Faculty of Science & Technology (until September 2018)
Depositing User: Repository Admin
Date Deposited: 22 Jun 2015 10:54
Last Modified: 09 Sep 2021 19:01

Actions (login required)

Edit Item Edit Item