earlyWarning-CCS03-speakdraft

earlyWarning-CCS03-speakdraft - Slide #1: Hi, my name is...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Slide #1: Hi, my name is Cliff Zou. I will talk about our work on “monitoring and early warning for Internet worms”. Slide #2: This paper tries to answer this question: how to detect an unknown worm at the early stage of its propagation? If we can early detect a worm, we may have time to set up efficient counteractions before it is too late. First, we have to set up a monitoring system, which will monitor and collect worm scan traffic, such as connections to nonexistent IP addresses. However, monitored traffic is very noisy: some old worms can probe the same port; some hackers can use port-scanning toolkits to scan our monitors, or monitored traffic can be caused by misconfigured routers or computers on the Internet. For the detection part, for unknown worms, we have to rely on anomaly detection. Currently, most anomaly detection techniques are threshold-based. That is to say, they check monitored traffic burst, either short-term burst or long-term burst. If the burst is over their threshold, they will raise an alarm. However, threshold-based anomaly detection systems usually have high false alarm rate and their threshold is very hard to adjust. Slide #3: Therefore, in this paper, we propose a very different approach, which is a non- threshold-based worm detection method. We call it “trend detection”, the detection principle is: detect the traffic trend, not burst. We believe worm exponentially propagates at the beginning. So the trend means the exponential growth trend of a worm. For detection, we use on-line recursive estimation algorithm to estimate the exponential rate \alpha of this trend. If the estimated exponential rate is a positive, constant value, we believe we have detected a worm; otherwise, the monitored traffic is just some noise burst. These two figures show the monitored illegitimate traffic in two situations. They can be the number of packets, or number of connections we observe at each unit time. They will cause threshold-based detection system to give alarms if the threshold is below this in this figure and below this value in this figure. However, we think that they are just noise, not caused by a worm, because they do not have the exponentially increasing trend. From our estimation point of view, the estimated value is either value 0, or is oscillating around 0.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
(click) On the other hand, this figure shows the monitored traffic in another case. It has exponential growth trend; the estimated value is a positive constant value. So we believe this incident is caused by a worm. You can think that the “trend detection” is a transformation that is similar to Fourier Transform. The trend detection transforms the original problem in this domain (the three figures above) to the “trend domain” (the three estimation figures in the bottom). In this trend domain, the worm detection will become much easier.
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 7

earlyWarning-CCS03-speakdraft - Slide #1: Hi, my name is...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online