Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality

Abstract

Epidemic-spreading attacks (e.g., worm and botnet propagation) have a natural notion of attack causality - a single network flow causes a victim host to get infected and subsequently spread the attack. This paper is motivated by a simple question regarding the diagnosis of such attacks - is it possible to establish attack-causality through network-level monitoring, without relying on signatures and attack-specific properties? Using the observation that communication patterns of normal hosts are sparse, we posit the hypothesis that it is feasible to uncover attack causality through a combination of host-based anomaly detection and temporal correlation of network events. The contribution of this paper is a systematic exploration of this hypothesis over the spectrum of attack properties and system design options. Our analysis, trace-driven experiments, and real prototype based study suggest that it is feasible to establish attack causality accurately using anomaly detection and temporal event correlation in enterprise network environments with tens of thousands of hosts.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 06, 2007
Accession Number
ADA465497

Entities

People

  • Hui Zhang
  • Michael Reiter
  • Vyas Sekar
  • Yinglian Xie

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Accuracy
  • Anomaly Detection
  • Change Detection
  • Computer Science
  • Databases
  • Detection
  • Detectors
  • Errors
  • Extraction
  • False Alarms
  • Feature Extraction
  • Infection
  • Intrusion Detection
  • Measurement
  • Networks
  • Warning Systems
  • Wound Infections

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Neural Network Machine Learning.
  • Strategic Security Studies