Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content

The early detection, alert and response (eDare) framework is presented in this paper. The goal of this framework is to address the risks stemming from malicious software propagating via networks operated by Internet/network service providers (ISP/NSP). To achieve this goal, eDare employs network-based traffic scanning appliances that enable sanitation of Internet traffic of known malware. Remaining traffic is extracted and various types of algorithms are invoked in an attempt to detect instances of previously un-encountered malware and to generate a unique and simple byte-string signature for such malware. That signature is immediately uploaded to the aforementioned network traffic scanners. To augment judgments of the algorithms, human experts are consulted for assistance in classifying files suspected of being malware about which the automatic detection algorithms are not sufficiently decisive. Finally, collaborative feedback and tips from end-users are meshed into the identification process. This makes tackling of suspect files, whose impact can be assessed on a large, distributed scale, possible. The system incorporates static and behavioral analysis of malware and novel automatic signature generation algorithm. eDare was implemented and tested using an evaluation environment especially developed for that purpose. The results suggest that eDare can detect and remove unknown malware effectively. Copyright (C) 2010 John Wiley & Sons, Ltd.