Date of Award:


Document Type:


Degree Name:

Master of Science (MS)


Computer Science

Committee Chair(s)

Chad Mano


Chad Mano


Stephen W. Clyde


James Powell


Intrusion defense system (IDS) development has been largely reactionary in nature. This is especially troubling given that botnets are capable of compromising and controlling thousands of computers before security professionals develop a mitigation technique. As new exploits are created, new mitigation techniques are developed to detect infections and, where possible, remove them. This thesis breaks from this tradition of reacting to malware. Instead, it looks at possible malicious software models through analyzing existing defense systems for exploitable weaknesses.

First, this thesis presents a new specialized botnet that circumvents current network intrusion detection mechanisms. The proposed botnet coordinates external communication among bots located within the same switched network. This model is designed to prevent a perimeter-based IDS from adequately correlating external communication for a given internal host. The idea is to localize botnet communication, thus enabling a portion of the compromised systems to hide from existing detection techniques without a significant increase in network monitoring points - an increase that currently has not been effectively addressed.

Second, this thesis presents a prototype of an IDS that addresses the aforementioned weakness in current IDSs. The proposed method augments existing IDSs in order to efficiently detect this new botnet specialization or "sub-botnet''. Our method has added lightweight monitoring points within its switched network. These points relay necessary information back to a centralized perimeter-based IDS instance for bot detection. The IDS is also able to effectively relay signature information to the additional monitoring points for analysis.