Abstract
An epidemic is malicious code running on a subset of a community, a homogeneous set of instances of an application. Syzygy is an epidemic detection framework that looks for time-correlated anomalies, i.e., divergence from a model of dynamic behavior. We show mathematically and experimentally that, by leveraging the statistical properties of a large community, Syzygy is able to detect epidemics even under adverse conditions, such as when an exploit employs both mimicry and polymorphism. This work provides a mathematical basis for Syzygy, describes our particular implementation, and tests the approach with a variety of exploits and on commodity server and desktop applications to demonstrate its effectiveness.
This work was supported in part by NSF grants CCF-0915766 and CNS-050955, and by the DOE High-Performance Computer Science Fellowship.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bouloutas, A., Calo, S., Finkel, A.: Alarm correlation and fault identification in communication networks. IEEE Transactions on Communications (1994)
Brumley, D., Newsome, J., Song, D.: Sting: An end-to-end self-healing system for defending against internet worms. In: Malware Detection and Defense (2007)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: SOSP (2005)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy, pp. 202–215 (2002)
Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: IEEE Symposium on Security and Privacy (1992)
Ellis, D.: Worm anatomy and model. In: WORM (2003)
Eskin, E.: Anomaly detection over noisy data using learned probability distributions. In: ICML (2000)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: IEEE Symposium on Security and Privacy (2003)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy (1996)
Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: CCS (2004)
Gao, D., Reiter, M.K., Song, D.: Behavioral distance for intrusion detection. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)
Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security, pp. 61–79 (2002)
Gu, G., Cárdenas, A.A., Lee, W.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: ASIACCS (2008)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
Huang, L., Garofalakis, M., Joseph, A.D., Taft, N.: Communication-efficient tracking of distributed cumulative triggers. In: Intl. Conf. on Distributed Computing Systems (ICDCS) (June 2007)
Huang, L., Nguyen, X.L., Garofalakis, M., Hellerstein, J., Jordan, M., Joseph, A., Taft, N.: Communication-efficient online detection of network-wide anomalies. In: IEEE INFOCOM (2007)
Jakobson, G., Weissman, M.: Alarm correlation. IEEE Network (1993)
Javitz, H.S., Valdes, A.: The SRI IDES statistical anomaly detector. In: IEEE Symposium on Security and Privacy (1991)
King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Constructing attack scenarios through correlation of intrusion alerts. In: CCS (2002)
Lincoln, P., et al.: Virtualized Execution Realizing Network Infrastructures Enhancing Reliability (VERNIER), http://www.sdl.sri.com/projects/vernier/
Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software self-healing using collaborative application communities. In: NDSS (2005)
Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: ACM Workshop on Rapid Malcode (2005)
Malan, D.J., Smith, M.D.: Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms. In: WORM (2006)
Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. In: TISSEC (2006)
Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: NDSS (2006)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: CCS (2002)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31 (1999)
Porras, P.A., Neumann, P.G.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: National Computer Security Conference, NIST/NCSC (1997)
Sebring, M.M., Whitehurst, R.A.: Expert systems in intrusion detection: a case study. In: National Computer Security Conference (1988)
Sharif, M., Singh, K., Giffin, J., Lee, W.: Understanding precision in host based intrusion detection. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 21–41. Springer, Heidelberg (2007)
Smaha, S.: Haystack: an intrusion detection system. In: Aerospace Computer Security Applications Conference (1988)
Staniford-chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagl, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: Grids—a graph based intrusion detection system for large networks. In: NIST/NCSC (1996)
Tan, K.M.C., Maxion, R.A.: “Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector. In: IEEE Symposium on Security and Privacy (2002)
Ullrich, J.: DShield—distributed intrusion detection system, http://www.dshield.org
Vaccaro, H., Liepins, G.: Detection of anomalous computer session activity. In: IEEE Symposium on Security and Privacy (1989)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
Wadge, W.W., Ashcroft, E.A.: Lucid, the dataflow programming language. A.P.I.C. Studies in Data Processing (1985)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: CCS (2002)
Wang, H.J., Platt, J.C., Chen, Y., Zhang, R., Wang, Y.-M.: Automatic misconfiguration troubleshooting with PeerPressure. In: OSDI (2004)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: WORM (2003)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: USENIX Security (2004)
Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: ACSAC (2002)
Xie, Y., Kim, H., O’Hallaron, D., Reiter, M., Zhang, H.: Seurat: a pointillist approach to anomaly detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 238–257. Springer, Heidelberg (2004)
Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the DOMINO overlay system. In: NDSS (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Oliner, A.J., Kulkarni, A.V., Aiken, A. (2010). Community Epidemic Detection Using Time-Correlated Anomalies. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)