Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tools To Squash the Botnets

Posted by ryuzaki0 on from the squish-squish-little-bugs dept.

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

3 of 135 comments (clear)

  1. Not only that, but there are NO details. by khasim · · Score: 4, Interesting

    I can accept an ad that describes the advances. This article says NOTHING.

    And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

    Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

    They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

    But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

    Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

    I'm thinking "snake oil" here.

  2. Ahoy! Press release! by martin-boundary · · Score: 4, Interesting
    Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

    Does he think slashdot readers don't read the article or something?

  3. Re:I don't see that. by Sentry21 · · Score: 4, Interesting

    A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

    I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.