|Main Archive Page > Month Archives > focus-ids archives|
> Botnet detection is a very hot topic. But it is very difficult to get hold of any network traces for experimentation.
> Recently Gu has done the first thesis on Botnet at Georgia Tech.
Yes, botnets have certainly become a lot more interesting than a lot of the flash worms and the like we were seeing five years ago. A lot of this is because they avoid detection so that they can keep on doing their thing. Furthermore, a lot of them act more like trojans than exploit code (relying on some user interaction), making signature generation for them more difficult. Incidentally, Gu just started at Texas A&M -- great guy, really sharp.
My interest is still in network based intrusion detection, and the biggest problem in this arena is the lack of good datasets to test from. Furthering this problem is that static datasets are no longer sufficient for testing, given the rate at which network traffic changes and how diverse different network segments are. A really useful research project to this end would be a framework for generating test datasets which could be tuned to generate different traffic profiles for different environments. The trick to that is verifying that the traffic the framework is generating is close enough to real traffic to be useful: that's the topic of my current research, and I'd be happy to talk to anyone on that topic at length.
Beyond that, I think an analysis of existing network traffic would be useful. There is a great deal of debate regarding things such as how much network traffic is malicious in nature? How much is benign, but anomalous? How much malicious traffic is actually anomalous? There are a number of studies of sources of anomalous network traffic: RFC 2525 is a good start, Floyd and Paxson "Difficulties in modeling the Internet" and Bellovin's "Packets found on an internet" are others. Most of these sources are getting somewhat dated, however, so you might want to consider them guides in defining what is anomalous. A study that could look at different network segments and attempt to identify how much traffic was obviously benign (very difficult), obviously malicious (signature of known malcode, but be careful: maybe it's a legitimate vulnerability assessment!), and the many shades of gray inbetween. The question of what correlation this has to the "anomalousness" of a stream is prompted by Gates and Taylor, "Challenging the Anomaly Detection Paradigm: A provocative discussion", which raises other questions highly worthy of research.
Hope this helps!
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.