worm blog: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation

« HotBots '07 Call for Papers | Main | SIS Analysis Toolkit »

Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation

While I'm back from VB, I've also been very busy with work, so posts here slipped a bit.

The COVERAGE algorithm outlined here seems like a decent first step at solving a very knotty problem. This is worth reading if you've given thought to a cooperative IDS system, or even if you just want to look at a specific subset of data correlation across multiple devices.

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and im- munization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.
In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to bal- ance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.

Source: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation, K. Anagnostakis, S. Ioannidis, A. D. Keromytis, and M. B. Greenwald.

October 23, 2006 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Search-and-destroy Antispyware.
Have you ever tried Search-and-destroy Antispyware? If you answered no, then you should give it a try. Over the years I have used many different types of antispyware and this is one of the best that I have ever tried. I was surprised and delighted to find that I could purchase it for a lower price than I could buy Norton and other similar scans that produce the same results. That makes it even better. Antispyware solution from Search-and-destroy can find the same kinds of bugs as these more expensive programs and is easy to get. Just click here http://www.Search-and-destroy.com and you can see how well it really works for yourself.

Posted by: Chezy | May 9, 2009 5:02:30 AM

The comments to this entry are closed.