NoBot: Embedded Malware Detection for Endpoint Devices

NoBot is a novel malware detection system that employs packet classification and distinct counting techniques to achieve reliable detection and identification of malware by observing the traffic to and from a network-connected host. The solution is designed to be economically incorporated into endpoint devices, such as Ethernet switches, Gigabit passive optical network (GPON) devices, and digital subscriber line access multiplexers (DSLAMs) leveraging the integral features of the hosting device, such as packet classification, packet counting, packet-forwarding features, and the computing resources of the control processor. NoBot combines these features with deep packet inspection and distinct counting to detect the presence of malware with a low rate of false positive detections. The NoBot software has been incorporated into a Linux device driver, installed into an Android-based smart phone, and implemented as a preprocessor module for the open source Snort Intrusion detection and prevention System (IDS/IPS). (C) 2011 Alcatel-Lucent