This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially.
The figure above describes the experimental setup which was used to detect network intrusions. "The design goal was a network with a range of propagation delays and with sufficient link capacity so that congestion would only potentially become an issue at the single bottleneck (node A) when background traffic was introduced. (Credit: UW-Madison)
This technology was developed by Paul Barford, an assistant professor in the Department of Computer Sciences of UW-Madison. "In June 2007, Barford and some of his colleagues opened a spinoff companycalled Nemean Networks, LLC. The company is developing a new approach to detecting network intrusions that offers a significant improvement over the current state of the art. Nemean is based on four distinct patents."
Another UW-Madison news release, dated November 5, 2007, gives us the origin of the company name -- which has no Internet existence today except if I'm wrong. "Nemean is named after the first of Hercules' 12 labors, in which Hercules must kill the Nemean lion whose coat was impenetrable by weapons. It's an apt metaphor for the technology, which seeks to hunt down a slight vulnerability in malicious traffic: the unique "signature" such traffic generates."
Now, let's read some quotes from Paul Barford about botnets. "Some of the most worrisome threats today are things called 'botnets' -- computers that are taken over by an outside party and are beyond the user's control. [...] They can do all sorts of nasty things: steal passwords, credit card numbers and personal information, and use the infected machine to forward spam and attack other machines. [...] Botnets represent a convergence of all of the other threats that have existed for some time."
But how his detection system is better than current ones? "Most network-intrusion systems today are comparing traffic against a database, collected by hand, of previously recognized attack signatures. The innovation with Nemean is a method to automatically generate intrusion signatures, making the detection process faster and more precise. The Achilles' heel of current commercial technology is the number of false positives they generate, Barford says. Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates."
And how his system can be compared to existing ones? "In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures -- 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology."
So Barford thinks he's on something big. "'The technology we're developing here really has the potential to transform the face of network security,' says Barford, whose research is supported by the National Science Foundation, the Army Research Office and the Department of Homeland Security. 'Our objective is to build this company into a world leader in network security solutions.'"
For more information, you can read a technical paper presented at the USENIX First Workshop on Hot Topics in Understanding Botnets (HotBots I, April 2007), "Toward Botnet Mesocosms (PDF format, 10 pages, 119 KB), from which the above figure has been extracted.
Here is the beginning of the abstract. "An in-depth understanding of botnet behavior is a precursor to building effective defenses against this serious and growing threat. In this paper we describe our initial steps toward building a flexible and scalable laboratory testbed for experiments with bots and botnets. Our Botnet Evaluation Environment (BEE) is designed to enable individual bots or networks of up to thousands of bots to be tested in a secure, self-contained framework. BEE is being developed as a toolkit for Emulab-enabled network testbeds; a design choice made to obviate the need for building user/experiment management functions and to enable access to collections of computing hosts."
Sources: Brian Mattmiller, University of Wisconsin-Madison news release, October 31, 2007; and various websites
You'll find related stories by following the links below.