Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tools To Squash the Botnets

Posted by ryuzaki0 on from the squish-squish-little-bugs dept.

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

4 of 135 comments (clear)

  1. Talk by Paul Barford by QuantumG · · Score: 5, Informative

    Title: Toward Self-directed Network Intrusion Detection and Prevention

    Abstract:

    Network attacks and intrusions have been a fact of life in the Internet
    for many years and continue to present serious challenges for network
    researchers and operators alike. The objective of our work is to develop
    tools and systems that automate or otherwise enhance key activities of
    network security analysts. In the first part of this talk, I will describe
    our malicious traffic assessment activities using our Internet Sink
    (iSink) system for dark address space monitoring. iSink is a highly
    scalable system that includes both passive packet capture and a set of
    stateless active responders that enable details of exploits to be
    captured. Our results illustrate the variability in the traffic on dark
    address space and the feasibility of efficient classification of attack
    types. I will also describe how data from dark address space monitors can
    be used to provide near real time network "situational awareness" for
    security analysts. iSink data is also the basis for our Nemean system that
    automatically synthesizes signatures for intrusion detection. Unlike
    standard intrusion signatures, Nemean's signatures are protocol aware
    which we show greatly enhances their resilience to false alarms. I will
    describe Nemean, and conclude with a brief description of our current
    activities in adapting Nemean into a real time intrusion prevention
    system.

    Where: Grad. Lounge

    When: Thursday 27th Oct 2005 11 am.

    2 years from lab to startup, not bad dude.

    --
    How we know is more important than what we know.
    1. Re:Talk by Paul Barford by Anonymous Coward · · Score: 1, Informative
      In fact, this behavior is encouraged by UW--Madison, and rightly so.


      UW--Madison allows the researcher to own the patents, and in essentially all cases, the licensing proceeds and some profits are voluntarily donated to the Wisconsin Alumni Research Foundation (WARF), a 3rd-party organization founded and maintain by researchers at the university for exactly this purpose.


      This attitude can be summarized as "We trust our researchers, and we want to see their research become useful outside the ivory tower."


      The WARF generates a huge amount of money which is then donated back to primary research at the university. It is the single reason why UW--Madison is consistently a leader in biotech, especially compared to other big state universities.

  2. BotHunter, anyone? by AgentPhunk · · Score: 4, Informative
    A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.

    http://www.cyber-ta.org/releases/botHunter/

    From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

    There's also a great PDF available showing a full dissection of a Storm variant.

  3. Is this prior art? by khasim · · Score: 2, Informative

    http://seclists.org/focus-ids/2003/Feb/0031.html

    And that is with 30 seconds of Google searching. I thought I had heard of that concept before.

    Search Google with "worm 'protocol validation'".