Detection of slow malicious worms using multi-sensor data fusion

Authors:
Frank Akujobi;Ioannis Lambadaris;Evangelos Kranakis
Affiliations:
Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada;Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada;Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada
Venue:
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Year:
2009

Citing 14
Cited 1

Inside the Slammer Worm

IEEE Security and Privacy
Towards multisensor data fusion for DoS detection

Proceedings of the 2004 ACM symposium on Applied computing
The Spread of the Witty Worm

IEEE Security and Privacy
Cisco Security Agent

Cisco Security Agent
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Dempster-Shafer Theory for Intrusion Detection in Ad Hoc Networks

IEEE Internet Computing
Anomalous system call detection

ACM Transactions on Information and System Security (TISSEC)
A Multi-Resolution Approach forWorm Detection and Containment

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Mathematical Techniques in Multisensor Data Fusion (Artech House Information Warfare Library)

Mathematical Techniques in Multisensor Data Fusion (Artech House Information Warfare Library)
Sensor and Data Fusion: A Tool for Information Assessment and Decision Making (SPIE Press Monograph Vol. PM138)

Sensor and Data Fusion: A Tool for Information Assessment and Decision Making (SPIE Press Monograph Vol. PM138)
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Challenging the anomaly detection paradigm: a provocative discussion

NSPW '06 Proceedings of the 2006 workshop on New security paradigms
An integrated approach to detection of fast and slow scanning worms

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
When gossip is good: distributed probabilistic inference for detection of slow network intrusions

AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2

A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Detection of slow worms is particularly challenging due to the stealthy nature of their propagation techniques and their ability to blend with normal traffic patterns. In this paper, we propose a distributed detection approach based on the Generalized Evidence Processing (GEP) theory, a sensor integration and data fusion technique. With GEP theory, evidence collected by distributed detectors determine the probability associated with a detection decision under a hypothesis. The collected evidence is combined to arrive at an optimal fused detection decision by minimizing a cummulative decision risk function. Typically, malicious traffic flows of varying scanning rates can occur in the wild, and the difficulty in detecting slow scanning worms in particular can be exacerbated by interference from other traffic flows scanning at faster rates. Our proposed detection technique uses a window-based self adapting profiler to filter detected malicious traffic profiles with scanning rates greater than the low scanning rates we are interested in. Experiments on a live test-bed are used to demonstrate behavior of the technique.