Posts

Showing posts from February, 2008

Cooperating Detectors

A malware detector tries to determine whether a program is malicious (examples of malicious programs are drive-by-downloads, botnets, and keyloggers). Malware detection is primarily performed at two vantage points: host and network. This post explains why cooperation between host-based and network- based detectors is a good thing. Traditionally, detection has been performed either at the network or host level, but not both. First, let me examine both approaches separately. A network-based detector monitors events by examining a session or network flow and tries to determine whether it is malicious. The advantage of a network-based detector is ease of deployment -- there are not that many points of deployment for a network-based detector (typically they are deployed behind border routers). Unfortunately, network-based detectors have a limited view of each network session. In fact, if a session happens to be encrypted such as is common with VPNs, Skype, and some bots, a network-based de...