DDoS and Security Reports

Kevin Borders, who worked with the ASERT this past summer, is today’s guest blogger. Kevin’s working on some interesting technology being developed at the University of Michigan that we thought you’d enjoy learning more about. As always, we welcome any questions, comments or concerns:

We cannot always rely on signatures to detect spyware and other bad stuff in our networks. Sometimes it is important to look at the behavior of programs and machines to make sure they are not acting up. A good place to see what is going on, of course, is on each host itself. However, taking the front seat to the spyware show has significant disadvantages. The lack of isolation between spyware and monitoring system not only lets the spyware know you are watching, but often gives it the opportunity to hide in a low-layer rootkit, or, even worse, to disable anti-virus/spyware software altogether. Furthermore, networks often have a number of unmanaged hosts, such as laptops or development machines, which will not be running host-based security software and thus will go unprotected. These considerations make network level behavioral monitoring a much more complete solution, even though the level of visibility is slightly less than with host-based systems.

A question remains: how can you detect spyware by analyzing behavioral patterns in network traffic? To put it more bluntly: what would spyware do? The answer lies in a fundamental tension between standard human web activity and spyware traffic (for the sake of discussion, we will only mention web traffic here because it is the most popular network application and it is used by most spyware programs). The purpose of a person browsing the Internet is usually to retrieve information. However, the purpose of spyware is to send that person’s private information to a remote server. Most human web requests contain very little outgoing information unconstrained by the protocol. For instance, searching Google for “awesome security blog”, and then clicking on http://asert.arbor.net/2006/08 does not send out very much unconstrained data to Google and Arbor Networks. Spyware, on the other hand, can be quite liberal in posting data to its servers. Not only does it send out larger volumes of data, but spyware also tends to communicate over the network at much more regular intervals than a person browsing the web (human web browsing typically occurs in short bursts). These characteristics of spyware activity allow an attentive observer to differentiate it from standard traffic, without having to rely on examining content for personal information, which may be encrypted or hidden in benign data.

I’ve done some research at the University of Michigan to develop detection software that looks for spyware activity in outbound web traffic. Following the publication of this research, Dr. Atul Prakash and I filed for a patent based on the technology. We’ve been working on commercializing this spyware detection software, dubbed Web Tap. Check it out, and make sure to build up your defenses against the ever bothersome and thankfully-not-yet-but-probably-soon-to-be-polymorphic spyware roaming around on the Internet today.

Popularity: 8% [?]

This entry was posted on Tuesday, November 21st, 2006 at 10:41 am and is filed under Spyware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.