When gossip is good: distributed probabilistic inference for detection of slow network intrusions

Authors:
Denver Dash;Branislav Kveton;John Mark Agosta;Eve Schooler;Jaideep Chandrashekar;Abraham Bachrach;Alex Newman
Affiliations:
Intel Corporation, Pittsburgh, PA;Intelligent Systems Program, University of Pittsburgh;Intel Corporation, Santa Clara, CA;Intel Corporation, Santa Clara, CA;Intel Corporation, Santa Clara, CA;University of California, Berkeley;Rensselaer Polytechnic Institute
Venue:
AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2
Year:
2006

Citing 8
Cited 12

A model for reasoning about persistence and causation

Computational Intelligence
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Anomaly Detection over Noisy Data using Learned Probability Distributions

ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Bayesian biosurveillance of disease outbreaks

UAI '04 Proceedings of the 20th conference on Uncertainty in artificial intelligence
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

A distributed host-based worm detection system

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Dependency-based distributed intrusion detection

DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
An adaptive anomaly detector for worm detection

SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Optimal Cost, Collaborative, and Distributed Response to Zero-Day Worms - A Control Theoretic Approach

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
COD: online temporal clustering for outbreak detection

AAAI'07 Proceedings of the 22nd national conference on Artificial intelligence - Volume 1
Detection of slow malicious worms using multi-sensor data fusion

CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Collaborative defence as a pervasive service: architectural insights and validation methodologies of a trial deployment

International Journal of Sensor Networks
Crowdsourcing service-level network event monitoring

Proceedings of the ACM SIGCOMM 2010 conference
SMURFEN: a system framework for rule sharing collaborative intrusion detection

Proceedings of the 7th International Conference on Network and Services Management
A model for detecting "global footprint anomalies" in a grid environment

PAISI'10 Proceedings of the 2010 Pacific Asia conference on Intelligence and Security Informatics
A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications
A Cooperative Intrusion Detection Model Based on Granular Computing and Agent Technologies

International Journal of Agent Technologies and Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the internet. Recent advances in anomaly-based intrusion detection systems (IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false positive (FP) rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We extend the idea of using collaborative IDSs to corroborate the likelihood of attack by imbuing end hosts with probabilistic graphical models and using random messaging to gossip state among peer detectors. We show that such a system is able to boost a weak anomaly detector D to detect an order-of-magnitude slower worm, at false positive rates less than a few per week, than would be possible using D alone at the end-host or on a network aggregation point. We show that this general architecture is scalable in the sense that a fixed absolute false positive rate can be achieved as the network size grows, spreads communication bandwidth uniformly throughout the network, and makes use of the increased computation power of a distributed system. We argue that using probabilistic models provides more robust detections than previous collaborative counting schemes and allows the system to account for heterogeneous detectors in a principled fashion.