A statistical tool first used in 1966 and currently used in speech and gesture recognition may hold a key to sniffing out botnets - by predicting the likely “next move” of infected PCs and the healthy computers around them, according to Science Daily.
Researchers at PSG College of Technology, Coimbatore, India have developed a tool which can make “zombie” PCs stand out from the crowd, by analyzing their activity instantly - a process which is often “like trying to identify one goldfish in a giant fish tank,” according to Slashdot’s report.
The tool uses a hidden-Markov model, a statistical tool which allows researchers to make predictions of future behavior without knowing the history of a system's past. The researchers track data packets coming in and out of PCs, and use this to make "forecasts" of how an infected PC might behave, and contrasting this to the "normal" behavior of PCs in the same system. The researchers liken the process to predicting weather. Hidden-Markov models are used extensively in speech recognition and gesture recognition today, but the statistical models were first used in the Sixties.
The researchers write that, "The team has applied the statistical logic of the hidden semi-Markov model to forecast the characteristics of internet activity on a given computer suspected of being a zombie computer in a botnet... These variables are the components used to control the flow of data packets in and out of the computer via the internet protocol. Their approach can model the "normal" behavior and then highlight botnet activity as being a deviation from the normal without the specific variables that are altered by the malware being in plain sight."
The researchers write that while AV software can spot the malware which controls PCs in a botnet, cybercriminals are constantly adapting their techniques, and suggest that their tool may offer a way to "lock down" botnets and zombie PCs quickly.
The reseachers point out that "malware developers have focused recently on web-based, http, type activity, which is easier to disguise among the myriad packets of data moving to and fro across a network and in and out of a particular computer," and say that their hidden-Markov tool offers "a lightweight and real-time detection system can see through this disguise easily. If implemented widely such as system could lock down this kind of botnet very quickly and slow the assimilation of zombie computers by criminals and others with malicious intent."
Slashdot's report comments that identifying a small number of infected PCs among thousands can be difficult - and that this tool "may offer hope."
"Identifying calls between one zombie PC and the botnet that owns it, from inside a company with thousands of computer systems, is like trying to identify one goldfish among thousands in a giant fish tank: among thousands of others doing almost the same things, it’s hard to identify the one fish with evil on its mind," the report says, "But a half-century-old statistical analysis tool may offer more hope, by suggesting enough about the behavior of well-adjusted fish to make the behavior of the bad ones stand out."