Malicious software (“Malware”) includes software that is designed to gain access and/or damage a computer or subvert its functioning without the knowledge of the owner. Malware is a tremendous problem with the number of computer security incidents continuing to increase. Malware infections can have enormous direct and indirect costs on individuals, businesses and other organizations.
One type of malware is the Remote Access Trojan horse. Generally, a Trojan horse includes malware embedded in an application or system that performs or appears to perform a useful function but also is performing some form of unauthorized action. A Remote Access Trojan horse generally includes a back door for administrative access and/or control over a target computer.
Malware and Remote Access Trojan horse software which are placed on computing devices use network resources to connect back to the controller/attacker associated with the software. It is very typical for such software to be required to transmit network traffic through host, and network resident firewalls. Such firewalls have stateful mechanisms which only permit traffic to be transmitted for a specific duration of time before considering that the connection in question is no longer viable. As such, malware of this nature invariably exhibits a periodic traffic transmission behavior resembling a beacon. In order to detect this behavior, traditional network defenses have focused on a content signature approach. In the content signature approach, a characterization of what is known to be malicious is used to determine whether particular software is malicious. This characterization or model may involve significant resources (including human resources) and additional signatures may be needed whenever new instances of malware are identified. Of course, the effectiveness of content signature-based malware detection methods depend upon characterizations that may not necessarily be accurate or complete. Therefore, problems remain with malware detection, in part because they do not recognize or appreciate the periodic traffic transmission associated with malware and how to detect malware using this observation. What is needed are improved methods of malware detection.