Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu. slide 0
Download Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Post on 15-Jan-2016

214 views

Category:

Documents

0 download

TRANSCRIPT

  • Fast and Robust Worm Detection AlgorithmTian BuAiyou ChenScott Vander WielThomas Woo

    bearhsu

  • Outline IntroductionAlgorithm DesignCUSUMMaximum Likelihood Inference of Worm Propagation RateAlgorithmEvaluationConclusion

  • Requirement of worm detectionsHigh -speed:Fast worms: making damage within minutesAccuracy:False positives: alarm without wormsFalse negatives: worms without alarmsAvoiding bothRobustness:Working well for various worms with different propagation characteristics

  • IntroductionMotivation:Proposing detecting methods with above requirementsMethod of work:Monitoring unused IP addressesUnsolicited trafficUsing unsolicited packets as input to worm detection algorithmsResult:Proposing a two-step algorithm1st stage: CUSUM counting2nd stage: Exponential detector

  • Unsolicited trafficSubnets usually has many unused IP addressesBell Labs use these unused addresses as a network telescopeUnsolicited packet:Packets sent to the unused IP addressesUsage:Arrival process of unsolicited packetsArrival of new sources that send these packets

  • Unsolicited Packets vs. SourcesStream of all unsolicited packetsScan countt-sample streamstream of unsolicited packets from external sources that have not been observed in the previous t secondsScanner count

    - Inter-arrival time

  • Unsolicited packets vs. sources- Inter-arrival time

  • Effect of worms

    without wormsInter arrival-time should be exponentially distributedPoisson Distribution

  • Algorithm Change DetectionMaximum Likelihood Inference of Worm Propagation RateComplete Algorithm

  • Change Detection using CUSUMSn: CUSUMXn: Tn Tn-1, inter-arrival timeWhile Sn exceeds a threshold h, stage 2 is triggeredif the mean of Xn shifts from to something smaller than p at sample nw then Sn will tend to accumulate positive increments after nw and thus eventually cross the threshold h and signal a change.

  • Maximum Likelihood InferenceA fresh scanner arrival can be modeled as a non-stationary Poisson process

    Considering the background traffic and simply assuming that the worm starts at 0 (tw =0 )

    Tn0: the most resent time that Si >0 (before CUSUM signal)Tj = Tn0+j Tn0, inter-arrival time relative to n0We can observe only T1, , Tn, instead of T1, Tn

  • Maximum Likelihood Inference

  • Maximum Likelihood Inference

  • Maximum Likelihood Inference

  • Maximum Likelihood Inference normal distributed with mean 0 and variance 1 [20] under the null hypothesis r = r0r0: maximal rate that can be ignoredPurpose of 2nd stage: testing that whether r is abnormally large or not

  • Complete Worm Detection Algorithm

  • Estimation #1 - Slammer

  • Estimation #2 - Witty

  • Estimation #3 - Nimda

  • Estimation #4 - Blaster

  • Estimation - Result

  • ConclusionDevised a fast and robust worm detection algorithm without any payload signaturesApplied the algorithm with REAL data to demonstrate the effectivenessFuture worknext page...

  • Future workEvaluate from a variety of Internet locations Reduce computational complexityReduce false signal rate of the CUSUMTo make MLE computing invoked less frequentlyFind new MLE algorithms

Recommended

View more >