Infection Detection System

Regardless of how malware enters your network (through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network), once a machine within your perimeter is compromised your whole network is under threat. Infection Detection helps you quickly identify and isolate these infected machines, and helps you figure out who really owns your computers.

What is Infection Detection?

Infection Detection Sensor is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. Rather, Infection Detection takes a different approach. It is an entirely new network defense algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spam bots, spyware, Trojan exfiltrators, worms, adware).

 

InfectionDetectionSystem

 

Infection Detection Sensor monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. Infection Detection employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where Infection Detection maps each host's dialog production patterns against an abstract malware infection lifecycle model. When enough evidence is acquired to declare a host infected, Infection Detection produces an infection profile to summarize all evidence it has gathered regarding the infection. In short, Infection Detection helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.

Conceptual Overview

Distinguishing a successful malware infection from the vantage point of the network egress position requires a command of the two-way dialog flow that occurs between a network's internal hosts and the Internet. While many malware infections start with an initial external-to-internal infection, malware may use a wide range of options to infect a host, including indirect host infections through email, direct exploit-based infection, or drive-by infections that are launched from malicious network servers. Furthermore, with the growth in popularity and capability of mobile laptops, direct infection of an internal asset need not necessarily take place behind a well-administered network. Malware may inject itself into a host opportunistically from any Internet access point the hosts happens to associate, or may be executed voluntarily by a victim who inadvertently accesses a Trojan binary, multimedia file, or other infected transmission source. Regardless of how malware enters a host, once established inside the network perimeter the challenge remains to identify the infected machine and remove it from service as quickly as possible.

Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim. Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts. IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is well documented. However, being able to distinguish a successful local host infection from the daily myriad of scans and intrusion attempts is as critical a task as any facet of network defense.