Indian scientists develop software to catch computer botnets

It can also disable the malware

Indian scientists have developed a monitoring software that can detect the telltale signs of botnet activity on a computer and disable the malware.

Botnet, a network of computers infected with malware - so-called zombies - that allow a third party to take control of those machines can be detected using a statistical tool first published in 1966, according to researchers from PSG College of Technology, Coimbatore.

In a study published in the International Journal of Electronic Security and Digital Forensics, researchers wrote that millions of computers across the globe are infected with malware, despite the best efforts of public awareness campaigns about phishing attacks and antivirus software.

Security and software companies do monitor internet activity and there have been successes in destroying such botnets but malware writers are always developing new tools and techniques that allow them to infect unprotected computers and rebuild botnets, researchers said.

Researcher R Anitha and colleagues at PSG College of Technology have turned to a statistical tool known as the hidden semi-Markov model (HsMM) to help them develop monitoring software to detect botnet activity on a computer.

In probability theory and statistics, a Markov process is one in which someone can predict the next state of a process based on its current state without knowing the full history of the process.

A hidden-Markov model would thus include variables of which the observer has no sight but can infer and so predict an outcome.

Predicting whether it rained on a given day based on whether a fair-weather-only walker was out on a given day without you having a weather report for their area involves a hidden-Markov process.

A hidden semi-Markov model then involves a process of this sort but where the time-elapsed into the current state affects the prediction.

The team has applied the statistical logic of the hidden semi-Markov model to forecast the characteristics of internet activity on a given computer suspected of being a "zombie computer" in a botnet based on management information base (MIB) variables.

These variables are the components used to control the flow of data packets in and out of the computer via the internet protocol.

Their approach can model the "normal" behaviour and then highlight botnet activity as being a deviation from the normal without the specific variables that are altered by the malware being in plain sight.

Tests on a small zombie computer network shows that the hidden semi-Markov model researchers have developed as a lightweight and real-time detection system can see through this disguise easily.

If implemented widely such a system could lock down this kind of botnet very quickly and slow the assimilation of zombie computers by criminals and others with malicious intent, researchers said.