Download - Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu
Fast and Robust Worm Detection Algorithm
Tian BuAiyou ChenScott Vander WielThomas Woo
bearhsu
Outline Introduction Algorithm Design
CUSUM Maximum Likelihood Inference of
Worm Propagation Rate Algorithm
Evaluation Conclusion
Requirement of worm detections
High -speed: Fast worms: making damage within minutes
Accuracy: False positives: alarm without worms False negatives: worms without alarms Avoiding both
Robustness: Working well for various worms with different
propagation characteristics
Introduction Motivation:
Proposing detecting methods with above requirements
Method of work: Monitoring unused IP addresses
Unsolicited traffic Using unsolicited packets as input to worm detection
algorithms
Result: Proposing a two-step algorithm
1st stage: CUSUM counting 2nd stage: Exponential detector
Unsolicited traffic Subnets usually has many unused IP
addresses Bell Labs use these unused addresses as
a network telescope Unsolicited packet:
Packets sent to the unused IP addresses Usage:
Arrival process of unsolicited packets Arrival of new sources that send these packets
Unsolicited Packets vs. Sources
Stream of all unsolicited packets “Scan” count
tt-sample stream stream of unsolicited packets from
external sources that have not been observed in the previous tt seconds
“Scanner” count
- Inter-arrival time
Unsolicited packets vs. sources- Inter-arrival time
Effect of worms
without worms Inter arrival-time
should be exponentially distributed
Poisson Distribution
Algorithm
Change Detection Maximum Likelihood Inference of
Worm Propagation Rate Complete Algorithm
Change Detection using CUSUM
Sn: CUSUM Xn: Tn – Tn-1, inter-arrival time While Sn exceeds a threshold h, stage 2 is triggered if the mean of Xn shifts from μ to something
smaller than μ−pμ at sample nw then Sn will tend to accumulate positive increments after nw and thus eventually cross the threshold h and signal a change.
A fresh scanner arrival can be modeled as a non-stationary Poisson process
Considering the ‘background’ traffic and simply assuming that the worm starts at 0 (tw =0 )
Tn0: the most resent time that Si >0 (before CUSUM
signal)
Tj = Tn0+j – Tn0, inter-arrival time relative to n0
We can observe only T1, …, Tn, instead of T1, …Tn
Maximum Likelihood Inference
Maximum Likelihood Inference
Maximum Likelihood Inference
Maximum Likelihood Inference
Maximum Likelihood Inference
normal distributed with mean 0 and
variance 1 [20] under the null hypothesis r = r0
r0: maximal rate that can be ignored
Purpose of 2nd stage: testing that whether r is abnormally
large or not
Complete Worm Detection Algorithm
Estimation #1 - Slammer
Estimation #2 - Witty
Estimation #3 - Nimda
Estimation #4 - Blaster
Estimation - Result
Conclusion
Devised a fast and robust worm detection algorithm without any payload signatures
Applied the algorithm with REAL data to demonstrate the effectiveness
Future work next page...
Future work
Evaluate from a variety of Internet locations Reduce computational complexity Reduce false signal rate of the CUSUM
To make MLE computing invoked less frequently
Find new MLE algorithms