Users can set a detection threshold on the evaluation, that, if exceeded will mean traffic is deemed a C&C request. The higher the threshold, the fewer false positives are returned, but at the same time fewer new C&C domains are caught and fewer infected hosts are discovered, he says.
For the research Nelms and his team are reporting on, prototype of ExecScent was deployed in three large networks for two weeks. Compared to an alternative method of using a domain black list to find command and control servers, ExecScent found more new C&C servers as well as hundreds of previously undetected infected machines.
Nelms says Damballa is working on improvements to Request Profiler that will keep false positives lower and at the same time increase the number of C&C domains and infected client machines that it detects.
If the product generates a false positive, it has to be discovered by end users who can't reach a legitimate domain or by security techs who recognize a blocked domain as legitimate. Then customers have to get Damballa to resolve it, he says.
Sign up for CIO Asia eNewsletters.