Show simple item record

dc.contributor.advisorFord, Richard
dc.contributor.authorFioravanti, Mark Edward
dc.date.accessioned2017-01-11T16:23:35Z
dc.date.available2017-01-11T16:23:35Z
dc.date.issued2016-12
dc.identifier.urihttp://hdl.handle.net/11141/1126
dc.descriptionThesis (Ph.D.) - Florida Institute of Technology, 2016en_US
dc.description.abstractINTRODUCTION: Malware authors present an interesting problem for the security community as they evolve and adapt to overcome network and host defenses. The determined adversary is a special class of malware author who may attempt to disrupt national interests. These adversaries may seek potentially novel Command and Control (C2) channels to coordinate their activities. Isolated and air-gapped networks pose an interesting challenge that these adversaries must adapt to in order to maintain persistence on these networks. In this work we propose that a determined adversary may seek to implement a digital quorum sensing system inspired by the quorum sensing systems used by some bacteria to coordinate their social behaviors. OBJECTIVES: The primary objective of this research was to characterize a potential digital quorum sensing C2 channel that relies on subtly modifying the global packet distribution on a network. METHODS: A proof of concept was developed and studied to determine if a C2 channel based on quorum sensing is feasible. Based on the results of the proof of concept, a prototype was implemented and studied in a number of different networking environments in order to more fully characterize the signal. The strength of the quorum sensing signal (the independent variable) was adjusted and through a series of statistical tests the statistical significance of the impact on the global packet distribution was determined. RESULTS: Network packet captures were analyzed from several different networks with Friedman tests. When the probability of a delaying packets was approximately in the range of (0.25,0.1) the delay was statistically significant with alpha=0.05 for the global packet distribution but not for the packet counts observed from the individual hosts. Wilcoxon rank-sum tests were used to determine which portions of the data sets contained statistically significant deviations, at a significance level of 95% (alpha=0.05). CONCLUSION: Digital quorum sensing could be used as a novel C2 channel providing a determined adversary a unique method of coordinating activities on a network without allowing the network defender to identify the infected hosts. During the experiment it was observed that this signal is easy to disrupt by altering the time synchronization between the hosts on the network.en_US
dc.format.mimetypeapplication/pdf
dc.language.isoen_USen_US
dc.rightsCC BY-SA 4.0en_US
dc.rights.urihttp://creativecommons.org/licenses/by-sa/4.0/legalcodeen_US
dc.titleDigital Quorum Sensing for Self-Organizing Malwareen_US
dc.typeDissertationen_US
dc.date.updated2017-01-09T20:49:48Z
thesis.degree.nameDoctor of Philosophy in Computer Scienceen_US
thesis.degree.levelDoctoralen_US
thesis.degree.disciplineComputer Scienceen_US
thesis.degree.departmentComputer Sciencesen_US
thesis.degree.grantorFlorida Institute of Technologyen_US
dc.type.materialtext


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

CC BY-SA 4.0
Except where otherwise noted, this item's license is described as CC BY-SA 4.0