Inline Botnet Extraction and Prevention

Period of Performance: 01/01/2006 - 12/31/2006


Phase 1 SBIR

Recipient Firm

Endeavor Systems
8300 Greensboro Drive, Suite 600
McLean, VA 22102
Principal Investigator
Firm POC


Phase I of this project researches a new approach for collecting a higher degree of relevant bot executables by exploiting the infect vector weakness and by utilizing an inline device that both protects systems and captures the bot as it attempts to infect. Most recent botnet research relies on honeynets to collect bots. Reliance on a single collection mechanism, such as honeypots, creates a weakness where attackers can determine targets to avoid. Also, the effectiveness of dark space honeypots in an IPv6 type Internet is unknown. Endeavor proposes a technique that collects and prevents bot malware while infection is attempted against systems, bypassing the dependency on honeypots. Proving the feasibility of extraction in the infection vector in Phase I lays out the foundation for developing the inline botnet extraction and prevention system in phase II. Endeavor has created and operates a commercial decoy sensor grid, FirstLight, which collects and analyzes botnets. We propose leveraging FirstLight including an inline IPS for the proposed research in order to reduce time-to-deployment. The research results will be packaged as a part of our FirstLight commercial offering.