Framework for Zombie Detection Using Neural Networks

One of the most important threats to personal and corporate Internet security is the proliferation of zombie PCs operating as an organized network. Zombie detection is currently performed at the host level and/or network level, but these options have some important drawbacks: antivirus, anti-spyware and personal firewalls are ineffective in the detection of hosts that are compromised via new or target-specific malicious software, while network firewalls and intrusion detection systems were developed to protect the network from external attacks but they were not designed to detect and protect against vulnerabilities that are already present inside the local area network. This paper presents a new approach, based on neural networks, that is able to detect zombie PCs based on the historical traffic profiles presented by "licit" and "illicit" network applications. The evaluation of the proposed methodology relies on traffic traces obtained in a controlled environment and composed by licit traffic measured from normal activity of network applications and malicious traffic synthetically generated using the subseven backdoor. The results obtained show that the proposed methodology is able to achieve good identification results, being at the same time computationally efficient and easy to deploy in real network scenarios.