worm blog: A Distributed Host-Based Worm Detection System

« Towards a framework for Worm Defense Evaluation | Main | Some Anti-Worm Efforts at Microsoft »

A Distributed Host-Based Worm Detection System

I've posted papers describing the approach of using collaborative host-based detection tools for worm outbreaks previously. This is some more research from Cheetancher on the subject.

We present a method for detecting large-scale worm attacks using only end-host detectors. These detectors propagate and aggregate alerts to cooperating partners to detect largescale distributed attacks in progress. The properties of the host-based detectors may in fact be relatively poor in isolation but when taken collectively result in a high-quality distributed worm detector. We implement a cooperative alert sharing protocol coupled with distributed sequential hypothesis testing to generate global alarms about distributed attacks. We evaluate the system's response in the presence of a variety of false alarm conditions and in the presence of an Internet worm attack. Our evaluation is conducted with agents on the Emulab and DETER emulated testbeds using real operating systems and computing platforms.

Source: A Distributed Host-Based Worm Detection System. Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, Jeff Rowe, Eve M. Schooler, Proceedings of the ACM SIGCOMM Workshop on Large Scale Attack Defense (LSAD06).

September 8, 2006 in detection, modeling, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit