Network-centric behavioural malware prevention: spyware and beyond?
Richard Ford, Gerald Marin, William Allen, Jason Michalske Florida Institute of Technology
Technical stream: Thursday 12 October 2006, 11:20 - 12:00.
Based upon the growing threat of spyware and more general network-based threats to user
privacy, there is increased interest in the role of long-term traffic analysis for the
behavioural detection of hostile programs. Furthermore, as computers increasingly become
the focus of financially-motivated crime, the emphasis on acquiring and keeping compromised
machines is likely to grow - leading to more frequent updates of trojans and bots on host
machines and placing increased stress on anti-virus researchers.
At an individual packet level it is often difficult to determine if a stream is indicative
of infection/subversion of a protected host. However, cumulative evidence that a host has
become infected is generally very clear if traffic is captured and analysed over a period
of time. Similarly, it is difficult to tell simply by examining the network traffic if a
host has a piece of spyware installed upon it; rather, traffic must be viewed in the
context of user behaviour.
In this paper, we outline an approach to behavioural virus suppression systems that incorporates
a strong emphasis on network traffic analysis. In particular, we focus on a practical
system to detect network-aware worms, spyware and adware by examining deviations in
normal aggregate traffic patterns in conjunction with software input. A demo of our
technology will be given, and implications for further research described. In addition,
we explore the current methodology for spyware removal, and its fundamental limitations
in dealing with the overall problem.
