6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Evan Dembskey and Elmarie Biermann<br />
networks such as Facebook, Twitter and MySpace as well as mobile generation provide increasing<br />
grounds for malware to access contact details and personal information.<br />
It is vital for the Internet economy that robust and resilient counter systems needs to be constantly in<br />
operation, while adapting to changing conditions.<br />
3. Current malware detection techniques<br />
The first hint of a malware infection may be the receipt of an email stating that a system appears to be<br />
infected and has abused a different system; the convention is that administrative contacts of some<br />
form are listed at global regional information registry sites such as AfriNIC, ARIN, APNIC, LAPNIC<br />
and RIPE to assist in communication. The abuse may take the form of spam, scanning activity, DDoS<br />
attacks, phishing or harassment ((Schiller, Binkley & Harley 2007).<br />
It is a poor security method indeed that relies on informants only. A better approach is the use of<br />
network-monitoring tools such as wireshark or tcpdump as malware activity results in data that can be<br />
analysed. Examples of prevalent data types are (Bailey et al. 2009):<br />
DNS Data: Data regarding name resolution can be obtained by mirroring data to and from DNS<br />
servers and can be used to detect both botnet attack behaviour.<br />
Netflow Data: Netflow data represents information gathered from the network by sampling traffic<br />
flows and obtaining information regarding source and destination IP addresses and port numbers.<br />
This is not available on all networks.<br />
Packet Tap Data: Packet tap data, while providing a more fine grained view than netflow but is<br />
generally more costly in terms of hardware and computation. Simple encryption reduces this<br />
visibility back to the same order as netflow.<br />
Address Allocation Data: Knowing where hosts and users are in the network can be a powerful<br />
tool for identifying malware reconnaissance behaviour and rapid attribution.<br />
Honeypot Data: Placed on a network with the express intention of them being turned into botnet<br />
members, honeypots can be a powerful tool for gaining insight into botnet means and motives.<br />
Host Data: Host level data, from OS and application configurations, logs and user activity<br />
provides a wealth of security information and can avoid the visibility issues with encrypted data.<br />
An even better method is an Intrusion Detection System (IDS). An IDS can either be host-based<br />
(HIDS) or network-based (NIDS). Both of these are further categorised by the type of algorithm used,<br />
namely anomaly- and signature-based detection. Anomaly–based techniques develop an<br />
understanding of what normal behaviour is on a system, and reports any deviation. Signature-based<br />
techniques use representations of known malware to decide if software is indeed malicious. A<br />
specialised form of anomaly-based detection, called specification-based detection makes use of a<br />
rule set to decide if software is malicious. Violation of these rules indicates possible malicious<br />
software.<br />
A NIDS sees protected hosts in terms of the external interfaces to the rest of the network, rather than<br />
as a single system, and gets most of its results by network packet analysis. Much of the data used is<br />
the same as discussed using the manual methods above. A HIDS focuses on individual systems.<br />
That doesn’t mean each host runs its own HIDS application, they are generally administered centrally,<br />
rather it means that the HIDS monitors activity on a protected host. It can pick up evidence of<br />
breaches that have evaded outward-facing NIDS and firewall systems or have been introduced by<br />
other means, such internal attacks, direct tampering from internal users and the introduction of<br />
malicious code from removable media (Schiller, Binkley & Harley 2007).<br />
Malware can also be detected forensically. Though this occurs after damage has been incurred, it is<br />
important for a number of reasons including legal purposes. Forensic aims can include identification,<br />
preservation, analysis, and presentation of evidence. Digital investigations that are or might be<br />
presented in a court of law must meet the applicable standards of admissible evidence. Admissibility<br />
is a concept that varies according to jurisdiction (Schiller, Binkley & Harley 2007).<br />
Two techniques that are essentially forensic in nature are darknets and honeynets, though the<br />
knowledge gained from their use helps to prevent, detect and remove botnets. A darknet is a closed<br />
private network used for file sharing. However, the term has been extended in the security sphere to<br />
apply to IP address space that is routed but which no active hosts and therefore no legitimate traffic.<br />
300