Richard Ford, Gerald Marin, William Allen, Jason Michalske Florida Institute of Technology
Based upon the growing threat of spyware and more general network-based threats to user privacy, there is increased interest in the role of long-term traffic analysis for the behavioural detection of hostile programs. Furthermore, as computers increasingly become the focus of financially-motivated crime, the emphasis on acquiring and keeping compromised machines is likely to grow - leading to more frequent updates of trojans and bots on host machines and placing increased stress on anti-virus researchers.
At an individual packet level it is often difficult to determine if a stream is indicative of infection/subversion of a protected host. However, cumulative evidence that a host has become infected is generally very clear if traffic is captured and analysed over a period of time. Similarly, it is difficult to tell simply by examining the network traffic if a host has a piece of spyware installed upon it; rather, traffic must be viewed in the context of user behaviour.
In this paper, we outline an approach to behavioural virus suppression systems that incorporates a strong emphasis on network traffic analysis. In particular, we focus on a practical system to detect network-aware worms, spyware and adware by examining deviations in normal aggregate traffic patterns in conjunction with software input. A demo of our technology will be given, and implications for further research described. In addition, we explore the current methodology for spyware removal, and its fundamental limitations in dealing with the overall problem.