Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu."— Presentation transcript:

1 Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu

2 Outline Introduction Algorithm Design CUSUM Maximum Likelihood Inference of Worm Propagation Rate Algorithm Evaluation Conclusion

3 Requirement of worm detections High -speed: Fast worms: making damage within minutes Accuracy: False positives: alarm without worms False negatives: worms without alarms Avoiding both Robustness: Working well for various worms with different propagation characteristics

4 Introduction Motivation: Proposing detecting methods with above requirements Method of work: Monitoring unused IP addresses Unsolicited traffic Using unsolicited packets as input to worm detection algorithms Result: Proposing a two-step algorithm 1st stage: CUSUM counting 2nd stage: Exponential detector

5 Unsolicited traffic Subnets usually has many unused IP addresses Bell Labs use these unused addresses as a network telescope Unsolicited packet: Packets sent to the unused IP addresses Usage: Arrival process of unsolicited packets Arrival of new sources that send these packets

6 Unsolicited Packets vs. Sources Stream of all unsolicited packets “ Scan ” count t t-sample stream t stream of unsolicited packets from external sources that have not been observed in the previous t seconds “ Scanner ” count - Inter-arrival time

7 Unsolicited packets vs. sources - Inter-arrival time

8 Effect of worms without worms Inter arrival-time should be exponentially distributed Poisson Distribution

9 Algorithm Change Detection Maximum Likelihood Inference of Worm Propagation Rate Complete Algorithm

10 Change Detection using CUSUM S n : CUSUM X n : T n – T n-1, inter-arrival time While S n exceeds a threshold h, stage 2 is triggered if the mean of X n shifts from μ to something smaller than μ−pμ at sample n w then S n will tend to accumulate positive increments after n w and thus eventually cross the threshold h and signal a change.

11 A fresh scanner arrival can be modeled as a non- stationary Poisson process Considering the ‘ background ’ traffic and simply assuming that the worm starts at 0 (t w =0 ) T n0 : the most resent time that S i >0 (before CUSUM signal) T j = T n0+j – T n0, inter-arrival time relative to n 0 We can observe only T 1, …, T n, instead of T 1, … T n Maximum Likelihood Inference

12

13

14

15 normal distributed with mean 0 and variance 1 [20] under the null hypothesis r = r0 r 0 : maximal rate that can be ignored Purpose of 2nd stage: testing that whether r is abnormally large or not

16 Complete Worm Detection Algorithm

17 Estimation #1 - Slammer

18 Estimation #2 - Witty

19 Estimation #3 - Nimda

20 Estimation #4 - Blaster

21 Estimation - Result

22 Conclusion Devised a fast and robust worm detection algorithm without any payload signatures Applied the algorithm with REAL data to demonstrate the effectiveness Future work next page...

23 Future work Evaluate from a variety of Internet locations Reduce computational complexity Reduce false signal rate of the CUSUM To make MLE computing invoked less frequently Find new MLE algorithms

Download ppt "Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu."

Similar presentations

Min-Plus Linear Systems Theory and Bandwidth Estimation Min-Plus Linear Systems Theory and Bandwidth Estimation TexPoint fonts used in EMF. Read the TexPoint.

Min-Plus Linear Systems Theory and Bandwidth Estimation Min-Plus Linear Systems Theory and Bandwidth Estimation TexPoint fonts used in EMF. Read the TexPoint.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang 2006-07-17.

In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
1 Distributed Control Algorithms for Service Differentiation in Wireless Packet Networks INFOCOM 2001 Michael Barry, Andrew T. Campbell Andras Veres.

1 Distributed Control Algorithms for Service Differentiation in Wireless Packet Networks INFOCOM 2001 Michael Barry, Andrew T. Campbell Andras Veres.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
AdaBoost & Its Applications

AdaBoost & Its Applications
Adaptive Load Shedding for Mining Frequent Patterns from Data Streams Xuan Hong Dang, Wee-Keong Ng, and Kok-Leong Ong (DaWaK 2006) 2008/3/191Yi-Chun Chen.

Adaptive Load Shedding for Mining Frequent Patterns from Data Streams Xuan Hong Dang, Wee-Keong Ng, and Kok-Leong Ong (DaWaK 2006) 2008/3/191Yi-Chun Chen.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Statistical Inference Chapter 12/13. COMP 5340/6340 Statistical Inference2 Statistical Inference Given a sample of observations from a population, the.

Statistical Inference Chapter 12/13. COMP 5340/6340 Statistical Inference2 Statistical Inference Given a sample of observations from a population, the.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CSE 221: Probabilistic Analysis of Computer Systems Topics covered: Statistical inference (Sec. )

CSE 221: Probabilistic Analysis of Computer Systems Topics covered: Statistical inference (Sec. )
Maximum Likelihood We have studied the OLS estimator. It only applies under certain assumptions In particular,  ~ N(0, 2 ) But what if the sampling distribution.

Maximum Likelihood We have studied the OLS estimator. It only applies under certain assumptions In particular,  ~ N(0, 2 ) But what if the sampling distribution.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.

Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.
EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.

EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.

Similar presentations

Ads by Google