Download presentation
Presentation is loading. Please wait.
1
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu
2
Outline Introduction Algorithm Design CUSUM Maximum Likelihood Inference of Worm Propagation Rate Algorithm Evaluation Conclusion
3
Requirement of worm detections High -speed: Fast worms: making damage within minutes Accuracy: False positives: alarm without worms False negatives: worms without alarms Avoiding both Robustness: Working well for various worms with different propagation characteristics
4
Introduction Motivation: Proposing detecting methods with above requirements Method of work: Monitoring unused IP addresses Unsolicited traffic Using unsolicited packets as input to worm detection algorithms Result: Proposing a two-step algorithm 1st stage: CUSUM counting 2nd stage: Exponential detector
5
Unsolicited traffic Subnets usually has many unused IP addresses Bell Labs use these unused addresses as a network telescope Unsolicited packet: Packets sent to the unused IP addresses Usage: Arrival process of unsolicited packets Arrival of new sources that send these packets
6
Unsolicited Packets vs. Sources Stream of all unsolicited packets “ Scan ” count t t-sample stream t stream of unsolicited packets from external sources that have not been observed in the previous t seconds “ Scanner ” count - Inter-arrival time
7
Unsolicited packets vs. sources - Inter-arrival time
8
Effect of worms without worms Inter arrival-time should be exponentially distributed Poisson Distribution
9
Algorithm Change Detection Maximum Likelihood Inference of Worm Propagation Rate Complete Algorithm
10
Change Detection using CUSUM S n : CUSUM X n : T n – T n-1, inter-arrival time While S n exceeds a threshold h, stage 2 is triggered if the mean of X n shifts from μ to something smaller than μ−pμ at sample n w then S n will tend to accumulate positive increments after n w and thus eventually cross the threshold h and signal a change.
11
A fresh scanner arrival can be modeled as a non- stationary Poisson process Considering the ‘ background ’ traffic and simply assuming that the worm starts at 0 (t w =0 ) T n0 : the most resent time that S i >0 (before CUSUM signal) T j = T n0+j – T n0, inter-arrival time relative to n 0 We can observe only T 1, …, T n, instead of T 1, … T n Maximum Likelihood Inference
15
normal distributed with mean 0 and variance 1 [20] under the null hypothesis r = r0 r 0 : maximal rate that can be ignored Purpose of 2nd stage: testing that whether r is abnormally large or not
16
Complete Worm Detection Algorithm
17
Estimation #1 - Slammer
18
Estimation #2 - Witty
19
Estimation #3 - Nimda
20
Estimation #4 - Blaster
21
Estimation - Result
22
Conclusion Devised a fast and robust worm detection algorithm without any payload signatures Applied the algorithm with REAL data to demonstrate the effectiveness Future work next page...
23
Future work Evaluate from a variety of Internet locations Reduce computational complexity Reduce false signal rate of the CUSUM To make MLE computing invoked less frequently Find new MLE algorithms
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.