Enabling malware remediation in expanding home networks

Author(s)
Loving, James Howard
Thumbnail
DownloadFull printable version (1.093Mb)
Other Contributors
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Advisor
David D. Clark.
Terms of use
MIT theses are protected by copyright. They may be viewed, downloaded, or printed from this source but further reproduction or distribution in any format is prohibited without written permission. http://dspace.mit.edu/handle/1721.1/7582
Metadata
Show full item record
Abstract
As the Internet of Things (IoT) grows, malware will increasingly threaten Internet security and stability. Many actors, from individuals installing antivirus on their personal computers to law enforcement conducting botnet takedowns, have some capability to prevent or remediate malware, but these strategies face technical and economic challenges. These challenges worsen as the IoT expands, due to the high number of IoT devices and other characteristics of the IoT. Fortunately, Internet Service Providers (ISPs) are positioned to effectively contribute to malware remediation efforts, through the detection and notification of compromise. However, Network Address Translation (NAT) and IPv6 Privacy Extensions prevent ISPs from identifying the specific compromised device. We refer to this lastmile extension of the IP traceback problem as the residential source identification problem. As the IoT grows, the problem worsens: IoT devices are less capable of self-remediation and expected to soon outnumber traditional devices, thus imposing a significant cost on customers to triangulate and remediate an infection. To address the residential source identification problem, I propose EDICT, an open-source software package for home routers that will enable consumers to identify a specific device, given retrospective notification of the malicious behavior, without compromising the consumer's privacy. EDICT does this by maintaining a mapping of IP flows to devices through a series of scalable Bloom filters, allowing EDICT to operate under the significant memory constraints of home routers. When a customer is informed of compromise, EDICT will query this connection log using a fuzzy check of the timestamp and source port, both provided by the ISP, iterated across a log of identified devices. EDICT will then provide the customer with user-friendly information on the infection's source, enabling remediation.As the Internet of Things (IoT) grows, malware will increasingly threaten Internet security and stability. Many actors, from individuals installing antivirus on their personal computers to law enforcement conducting botnet takedowns, have some capability to prevent or remediate malware, but these strategies face technical and economic challenges. These challenges worsen as the IoT expands, due to the high number of IoT devices and other characteristics of the IoT. Fortunately, Internet Service Providers (ISPs) are positioned to effectively contribute to malware remediation efforts, through the detection and notification of compromise. However, Network Address Translation (NAT) and IPv6 Privacy Extensions prevent ISPs from identifying the specific compromised device. We refer to this lastmile extension of the IP traceback problem as the residential source identification problem. As the IoT grows, the problem worsens: IoT devices are less capable of self-remediation and expected to soon outnumber traditional devices, thus imposing a significant cost on customers to triangulate and remediate an infection. To address the residential source identification problem, I propose EDICT, an open-source software package for home routers that will enable consumers to identify a specific device, given retrospective notification of the malicious behavior, without compromising the consumer's privacy. EDICT does this by maintaining a mapping of IP flows to devices through a series of scalable Bloom filters, allowing EDICT to operate under the significant memory constraints of home routers. When a customer is informed of compromise, EDICT will query this connection log using a fuzzy check of the timestamp and source port, both provided by the ISP, iterated across a log of identified devices. EDICT will then provide the customer with user-friendly information on the infection's source, enabling remediation.
Description
Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.
 
Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2017.
 
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
 
Cataloged from student-submitted PDF version of thesis.
 
Includes bibliographical references (pages 79-91).
 
Date issued
2017
URI
http://hdl.handle.net/1721.1/108839
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceMassachusetts Institute of Technology. Engineering Systems DivisionMassachusetts Institute of Technology. Institute for Data, Systems, and SocietyTechnology and Policy Program
Publisher
Massachusetts Institute of Technology
Keywords
Institute for Data, Systems, and Society., Technology and Policy Program., Electrical Engineering and Computer Science.
Collections