worm blog: MINDS - Minnesota Intrusion Detection System

« PBS NewsHour Segment on Worms and Viruses (2003) | Main | The HoneyTank: a scalable approach to collect malicious Internet traffic »

MINDS - Minnesota Intrusion Detection System

Another paper on traditional IDS technologies and how they can be used to detect worm activity.

This paper introduces the Minnesota Intrusion Detection System (MINDS), which uses a suite of data mining techniques to automatically detect attacks against computer networks and systems. While the long-term objective of MINDS is to address all aspects of intrusion detection, this paper focuses on two specific contributions: (i) an unsupervised anomaly detection technique that assigns a score to each network connection that reflects how anomalous the connection is, and (ii) an association pattern analysis based module that summarizes those network connections that are ranked highly anomalous by the anomaly detection module. Experimental results on live network traffic at the University of Minnesota show that our anomaly detection techniques are very promising and are successful in automatically detecting several novel intrusions that could not be identified using popular signature-based tools such as SNORT. Furthermore, given the very high volume of connections observed per unit time, association pattern based summarization of novel attacks is quite useful in enabling a security analyst to understand and characterize emerging threats.

Source: MINDS - Minnesota Intrusion Detection System, Levent Ertöz, Eric Eilertson, Aleksandar Lazarevic, Pang-Ning Tan, Vipin Kumar, Jaideep Srivastava, Paul Dokas.

This paper covers how they used MINDS to detect various worm instances on a large network. What is interesting is how they did it, basically using behavioral based approaches to monitor the in- and out-degree of network nodes. When the out-degree surges higher than expected, it's often a sign of an infected host attempting to propagate to other hosts. All scanned hosts will have their in-degree values rise in this scenario.

January 23, 2005 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit