Trojan detection using MIB-based IDS / IPS system
Identifying and detecting Trojans (malicious software installed and run on a host, without the acquiescence of the host's owner) is a major element in delivering computer security. As with any computer application, installation of a Trojan leaves a “footprint” on the systems resources. However, detection is non-trivial: the detector must be able to recognize the symptoms against a background of a range of other (“safe”) activities, which also consume system resources. Furthermore, such detection activity should be at least resource neutral (in other words, the resources consumed by the detection process should not be more than the resources saved in detection). Therefore, we wished to explore the potential of an economical approach that explicitly takes into account resources used. In order to achieve our aim, we explore the possibility of making use of the existing widely deployed Management Information database (the MIB) as the basis for detecting attempts to install Trojan software on networked systems. We identify the characteristics of typical attacks in respect of the impact they have on particular MIB objects, and propose a decision-tree based algorithm which can detect Trojan activity. We identify the likely effectiveness of this system, with particular reference to the need for such information to be gathered in a timely manner.