Distributed Detection and Inference:
An adaptive anomaly detector for worm detection
John Mark Agosta
Machine Learning Group
Intel Research
Abstract:
We present a worm traffic detector that monitors an end-host's
out-going traffic, in a way that is suitable for integration into a
larger distributed intrusion detection system. Conventional
centralized systems observe traffic at central points and have limited
visibility into network traffic and host machine state, as well as
limited resources that they can bring to detection. A distributed
system that incorporates the end-host detector that we present is not
constrained by these limitations, and additionally can accommodate
variations across machine behavior. Wwe explore the idea of such
adaptive end-host detectors, where a classifier trained as a traffic
predictor is used to customize the host's worm detection threshold as
a function of time. Using real traffic traces collected from a number
of end-hosts and superimposing a worm against this traffic, we show
that a rudimentary predictor and threshold adaptation model
considerably improve anomaly detection. We show that measures of the
traffic predictor's error rate, the reduction in the "threshold gap,"
and the ability to detect the simulated threat strongly agree.
Based on joint work with Carlos Diuk-Wasser, CS Department,
Rutgers University, and Jaideep Chandrashekar and
Carl Livadas,
Intel Research.
|
Date: Fri., April 6th |
Time: 4:15-5:30PM |
Place: Cordura 100 |
Return to the seminar schedule