Leveraging Data Mining to Improve Internet Security

The rich functionality of modern personal computers combined with ineffective deployment of practical security solutions opens the door to a wide variety of attacks and exploits on their applications. This in turn has led to an extremely widespread propagation of malware, or software designed to perform hostile activities without the owner’s consent. An increasingly common phenomenon is for malware to be remotely controlled over the PC’s Internet connection to form a botnet. Commoditization of botnets are used for credit card fraud, identity theft, spamming, phishing, and other attacks. Securing cyberspace, along with blocking attacks by botnets, was recently listed as one of fourteen “grand challenges” issued by the National Academy of Engineering [1]. Dealing with botnets presents a wide variety of challenges. The owner of a bot-infected machine often has no way to know their machine is infected by a bot. Even if they had some way to find out, they may lack the technical expertise required to separate and remove the bot’s code from their operating system and application software. In-network solutions for monitoring and curtailing bot behavior address this problem by observing trends across many bot-infected hosts, and allowing network operators direct control in shutting off or rate limiting bot-related traffic. However, since the amount of traffic flowing through networks is extremely large, they face scaling challenges in large networks. Moreover, given the rapid pace of change in deployed botnet code, isolating signatures of bots in the network represents a significant challenge, often requiring highly processing intensive techniques that worsen scaling problems further. In this paper, we plan to pursue two main avenues of research to counteract this threat: