NERD: a Network Exfiltration Rootkit Detector based on a Multi-agent Artificial Immune System

The expansion of the Internet has also seen a great increase in cyber threats. Among the main threats seen in this new scenario are Advanced Persistent Threats(APT's) characterized by slow progress, high stealthiness and high impact. One of the tools used by cyber actors to allow the extended presence necessary to APT's campaigns are rootkits, malware designed to subvert the Operating System allowing for processes, files and network traffic to be hidden from system administrators, and to allow easy access after the initial infection, which are extremely hard to detect. Marques et al. [1] have proposed the MADEX architecture, an Artificial Immune System (AIS) for flow analysis, that detects rootkits obfuscating network traffic. This work enhances the MADEX architecture so that it could handle more load without impact to its detection capabilities. This resulted in NERD, which can handle loads above those of the original MADEX with an improved accuracy of 99.996% and false positive rates below 0.08%.

Automated summary

With the expansion of the Internet, cyber threats have increased significantly, with Advanced Persistent Threats (APTs) and rootkits being among the main threats. Researchers have proposed the MADEX architecture and NERD, achieving good results in detecting rootkits obfuscating network traffic.