ISU Electrical and Computer Engineering Archives

Encrypted Mal-ware Detection

Ramkumar, Bhuvaneswari (2008) Encrypted Mal-ware Detection. Masters thesis, Iowa State University.

Full text available as:

PDF - Registered users only - Requires Adobe Acrobat Reader or other PDF viewer.


Mal-ware such as viruses and worms are evloving continuously,becoming a potential threat to our critical resources and networks. Existing schemes that address these issues either assume that the malicious entity is available in its plain-text format which can be detected directly with its signature or that its execution pattern is easily recognizable. Hence much of the development in this area has been focussed on generating more efficient signatures or in coming up with improved anomaly based detection methods and pattern matching rules. However with "secure data" being the watch-word and several advanced encryption schemes being developed to obfuscate data and protect its privacy, encrypted mal-ware is very much a clear and present threat. While securing resources from encrypted threats is the need of the hour, protecting the privacy of encrypted data transfer is equally critical. In this work we discuss encrypted mal-ware detection and propose an efficient packet level scheme that does not compromise on the privacy of data but at the same time helps detect the presence of hidden mal-ware in it. We also propose a new grammar with a generalized notation for all kinds of malicious-signatures. This notation is inclusive of even polymorphic and metamorphic threats which do not have a straight-forward one-to-one mapping between the signature and the threat-entity. In a typical system model consisting of several co-operating hosts which could be un-intentional senders of encrypted malicious traffic, a centralized network monitor functions as the mal-ware detection entity. We show that for a very small processing overhead and almost negligible memory-requirements,a very high specificity for even advanced multi-keyword polymorphic signatures is acheived.

EPrint Type:Thesis (Masters)
Subjects:Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Computer Networking and Security
ID Code:432
Identification Number:Identification Number UNSPECIFIED
Deposited On:08 July 2008

Archive Staff Only: edit this record