- Botnet Detection in the Core
- BITSI (Biologically Inspired Tactical Security Infrastructure)
- Defenses Against Botnet-Aided Spam over VoIP
- Botnet Activity Detection Based Upon an Analogy to the RNAi Immune System
- Intel's DDI (Distributed Detection and Inference) Research Program
Orchids is an intrusion prevention system (IPS) that looks for patterns among events instead of the traditional technique of detecting signatures of known attacks.
The basic concept of Orchids is to detect entire classes of 0-day (previously unknown) attacks by looking for similar sequences of events. For example, elevation of a user’s identity to root without following a normal mechanism should reliably identify a successful exploit.
Orchids also calculates entropy (a measure of disorder). This can flag, for example, an attack that exploits an SSL (secure sockets layer) server. This type of server normally creates encrypted transmissions between a browser and a webserver, and encryption is designed to create high entropy communications. However, if an attack program causes an SSL server to transmit shellcode (malware inserted directly into memory), this no longer appears random. Entropy falls and Orchids sends an alert to the administrator.