Portland State University. Department of Computer Science
Malware (Computer software) -- Prevention, Algorithms, Computer networks -- Security measures
We present an algorithm for detecting IRC-like chat networks that does not rely on Layer 7 payload information. The goal is to extract only those meshes from conventional flows where long-term periodic data is being exchanged between an external server and multiple internal clients. Flow data is passed through a series of filters that reduce the memory requirements needed for final candidate mesh sorting. Final outputs consist of two sorted lists including the fanout list, sorted by the number of client hosts in the mesh, and a secondary list called the evil sort. The latter consists of meshes with any host with a high TCP work weight1  indicating significant counts of scanning hosts. We are currently able to discover SSL-encoded IRC meshes as well as other chatlike meshes including MSN chat. Therefore we believe that the new algorithm will prove useful in detecting botnet meshes encrypted at Layer 7.
Dua, Akshay; Binkley, Jim; and Singh, Suresh, "Finding IRC-like Meshes Sans Layer 7 Payloads" (2009). Computer Science Faculty Publications and Presentations. 221.