Nobot: Embedded malware detection for endpoint devices

NoBot is a novel malware detection system that employs packet classification and distinct counting techniques to achieve reliable detection and identification of malware by observing the traffic to and from a network-connected host. The solution is designed to be economically incorporated into endpo...

Full description

Saved in:
Bibliographic Details
Published in:Bell Labs technical journal 2011-06, Vol.16 (1), p.155-170
Main Authors: Menten, Lawrence E., Chen, Aiyou, Stiliadis, Dimitrios
Format: Article
Language:English
Subjects:
Classification
Computing costs
Counting
Devices
Economics
Malware
Packets (communication)
Source code
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:NoBot is a novel malware detection system that employs packet classification and distinct counting techniques to achieve reliable detection and identification of malware by observing the traffic to and from a network-connected host. The solution is designed to be economically incorporated into endpoint devices, such as Ethernet switches, Gigabit passive optical network (GPON) devices, and digital subscriber line access multiplexers (DSLAMs) leveraging the integral features of the hosting device, such as packet classification, packet counting, packet-forwarding features, and the computing resources of the control processor. NoBot combines these features with deep packet inspection and distinct counting to detect the presence of malware with a low rate of false positive detections. The NoBot software has been incorporated into a Linux device driver, installed into an Android-based smart phone, and implemented as a preprocessor module for the open source Snort Intrusion detection and prevention System (IDS/IPS).
ISSN:1089-7089
1538-7305
1538-7305
DOI:10.1002/bltj.20492