Skip to main content

Enhancements to Large-Scale Network Monitoring for Bot Detection

Researchers: Marcus DeShon

Research Area: Next Generation Secure and Available Networks


The threats faced by contemporary networks, particularly the government's, cannot be fully addressed by automated intrusion detection approaches. Signature-based instruction detection is necessarily focused on known attacks. Anomaly-based intrusion detection is designed for detecting the unusual, which may or may not correlate well with attack activity - the motivated attacker has a strong interest in subtlety.

Issues of scaleability and context that are merely annoying on smaller networks become acute as a network's size increases. Host and service inventories may be poor, outdated or non-existent. The routing infrastructure may be to some degree unknown or inaccessible to those responsible for its security. In working with network operators and in creating analysis techniques applicable to large networks, we recognize the need for a new generation of tools that will gather new types of data. For scaleability, it is important for any content data collected to be highly valuable, to offset the costs associated with the significant increase in data collection and storage.

For the purposes of this research, we will focus on the collection of data appropriate to the identification of malicious network agents, specifically bots. The new data would include some application layer data, which by itself is not necessarily malicious, but when analyzed along with network traffic summaries, would permit a skilled analyst to identify novel bot agents that do not trigger existing IDS signatures.