A statistical tool first used in 1966 and
currently used in speech and gesture recognition may hold a key to
sniffing out botnets – by predicting the likely “next move” of infected
PCs and the healthy computers around them, according to Science Daily.
Researchers at PSG College of Technology, Coimbatore, India have
developed a tool which can make “zombie” PCs stand out from the crowd,
by analyzing their activity instantly – a process which is often “like
trying to identify one goldfish in a giant fish tank,” according to Slashdot’s report.
The tool uses a hidden-Markov model, a statistical tool
which allows researchers to make predictions of future behavior without
knowing the history of a system’s past. The researchers track data
packets coming in and out of PCs, and use this to make “forecasts” of
how an infected PC might behave, and contrasting this to the “normal”
behavior of PCs in the same system. The researchers liken the process to
predicting weather. Hidden-Markov models are used extensively in speech
recognition and gesture recognition today, but the statistical models
were first used in the Sixties.
The researchers write that, “The team has applied the
statistical logic of the hidden semi-Markov model to forecast the
characteristics of internet activity on a given computer suspected of
being a zombie computer in a botnet… These variables are the components
used to control the flow of data packets in and out of the computer via
the internet protocol. Their approach can model the “normal” behavior
and then highlight botnet activity as being a deviation from the normal
without the specific variables that are altered by the malware being in
plain sight.”
The researchers write that while AV software can spot the malware
which controls PCs in a botnet, cybercriminals are constantly adapting
their techniques, and suggest that their tool may offer a way to “lock
down” botnets and zombie PCs quickly.The reseachers point out that “malware developers have focused recently on web-based, http, type activity, which is easier to disguise among the myriad packets of data moving to and fro across a network and in and out of a particular computer,” and say that their hidden-Markov tool offers “a lightweight and real-time detection system can see through this disguise easily. If implemented widely such as system could lock down this kind of botnet very quickly and slow the assimilation of zombie computers by criminals and others with malicious intent.”
Slashdot’s report comments that identifying a small number of infected PCs among thousands can be difficult – and that this tool “may offer hope.”
”Identifying calls between one zombie PC and the botnet
that owns it, from inside a company with thousands of computer systems,
is like trying to identify one goldfish among thousands in a giant fish
tank: among thousands of others doing almost the same things, it’s hard
to identify the one fish with evil on its mind,” the report says, “But a
half-century-old statistical analysis tool may offer more hope, by
suggesting enough about the behavior of well-adjusted fish to make the
behavior of the bad ones stand out.”
No comments:
Post a Comment