Intrusion defense system (IDS) development has been largely reactionary in nature. This is especially troubling given that botnets are capable of compromising and controlling thousands of computers before security professionals develop a mitigation technique. As new exploits are created, new mitigation techniques are developed to detect infections and, where possible, remove them. This thesis breaks from this tradition of reacting to malware. Instead, it looks at possible malicious software models through analyzing existing defense systems for exploitable weaknesses. First, this thesis presents a new specialized botnet that circumvents current network intrusion detection mechanisms. The proposed botnet coordinates external communication among bots located within the same switched network. This model is designed to prevent a perimeter-based IDS from adequately correlating external communication for a given internal host. The idea is to localize botnet communication, thus enabling a portion of the compromised systems to hide from existing detection techniques without a significant increase in network monitoring points - an increase that currently has not been effectively addressed. Second, this thesis presents a prototype of an IDS that addresses the aforementioned weakness in current IDSs. The proposed method augments existing IDSs in order to efficiently detect this new botnet specialization or "sub-botnet''. Our method has added lightweight monitoring points within its switched network. These points relay necessary information back to a centralized perimeter-based IDS instance for bot detection. The IDS is also able to effectively relay signature information to the additional monitoring points for analysis.
Identifer | oai:union.ndltd.org:UTAHS/oai:digitalcommons.usu.edu:etd-1496 |
Date | 01 December 2009 |
Creators | Shirley, Brandon Lyle |
Publisher | DigitalCommons@USU |
Source Sets | Utah State University |
Detected Language | English |
Type | text |
Format | application/pdf |
Source | All Graduate Theses and Dissertations |
Rights | Copyright for this work is held by the author. Transmission or reproduction of materials protected by copyright beyond that allowed by fair use requires the written permission of the copyright owners. Works not in the public domain cannot be commercially exploited without permission of the copyright owner. Responsibility for any use rests exclusively with the user. For more information contact Andrew Wesolek (andrew.wesolek@usu.edu). |
Page generated in 0.0082 seconds