Developing Collaborative Profiles of Attackers: A Longitudinal Study
Abstract
We implemented a new content anomaly detector, Anagram, which models a mixture of high-order n-grams (n > 1) designed to detect anomalous and "suspicious" network packet payloads. For both Anagram and previously developed anomaly detector, Payl, we explored possible ways in which payload-based correlation can be applied, so that the alerts generated by both sensors can be included in our "collaborative security" infrastructure, called Worminator. Worminator is designed to exchange information securely, privately and in real-time between sites in order to reveal an accurate view of external threats, especially stealthy ones. To address the need for efficient alert correlation, we introduced the notion of network scheduling: the controllable formation and dissolution of relationships between nodes and groups of nodes in a network. Our network scheduling mechanism is a procedure for coordinating the exchange of information between the members of a correlation group. The mechanism is controlled by a dynamic and parameterizable correlation schedule. We performed a longitudinal study which is designed to demonstrate the proposed Worminator hypothesis, that collaborative intrusion detection not only enables detection of worm spread but also scanning behavior as precursors to an attack. There are three key longitudes for analysis: over time, over geographical and network space and by target.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 04, 2007
- Accession Number
- ADA482434
Entities
People
- Janak Parekh
- Michael Locasto
- Salvatore Stolfo
Organizations
- Columbia University