Mitigating Malware for Effective Utilization of Network Resources at ISPs

The effect of network-based malware can be massive on Internet Service Providers (ISPs). Malicious users, that are among the ISP customers, can consume large amount of network bandwidth. This behavior could be overwhelmingly damaging as legitimate ISP users may experience performance degradation or complete denial of service. Subsequently, as network-based malware spreads out, number of malicious users increase, causing distributed denial of service (DDoS) attack. This paper proposes a novel idea of mitigating network-based malwares at ISP level. The proposed solution - ISPMonitor, monitors various traffic patterns to detect the timely onset of malware attack. It detects the attack and applies a mitigation mechanism to protect the ISP network. The ISPMonitor, is a DNS based solution that monitors the rate of DNS lookup requests. An anomaly based approach is used to detect malware. The proposed mechanism was investigated on a live wireless ISP with 80,000 customers spanned across three major cities of Pakistan. Results reveal that this approach was not only highly effective in detecting and mitigating the malicious traffic but also has improved network bandwidth utilization considerably.