AppSec Europe 2014

Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for morphism, has limited use in Zero-Day protection and is a post-infection technique requiring malware to be present on a network, or device, in order to be detected. 

Botnets are ideally suited for launching mass Distributed Denial of Services (DDoS) attacks against the ever increasing number of networked devices that are starting to form the Internet of Things, and ultimately Smart Cities. Regardless of topology; centralised with Command & Control servers (C&C), or distributed peer-to-peer (P2P), Bots must communicate with the other Bots in the Botnet, as well as their overall commanding Botmaster. This communication traffic can be used to detect malware activity in the cloud well before it has been able to evade network perimeter defences, and to determine a route back to source to take down the threat. 

This presentation highlights the main drawbacks of traditional signature based detection methods. It discusses the alternative techniques of cloud based traffic analysis for pre-infection detection of malware, in particular Botnets, which can be performed on Big Data being generated by Service Providers, and demonstrates how cloud centric traffic based detection techniques can be used to complement traditional signature based anti-malware and overcome some of its drawbacks. 

Finally, this presentation identifies a lack of techniques for detecting malicious Bot activity within virtual environments, which now form the backbone of data centre infrastructure, and provide a new, as of yet untapped, attack vector for future malware. This identification of a lack of techniques works as a pre-cursor to my PhD research which is to detect malware behaviour within virtual environments.