Download now Free registration required
Stealthy malware, such as botnets and spyware, are hard to detect because their activities are subtle and do not disrupt the network, in contrast to DoS attacks and aggressive worms. Stealthy malware, however, does communicate to exfiltrate data to the attacker, to receive the attacker's commands, or to carry out those commands. Since malware rarely infiltrates only a single host in a large enterprise, these communications should emerge from multiple hosts within coarse temporal proximity to one another. This paper describes a system called TAMD (pronounced "Tamed") with which an enterprise can identify candidate groups of infected computers within its network. TAMD accomplishes this by finding new communication "Aggregates" involving multiple internal hosts, i.e., communication flows that share common characteristics.
- Format: PDF
- Size: 212.2 KB