Community Epidemic Detection with Syzygy

Community Epidemic Detection with Syzygy

Cached

Download Links

by Adam J. Oliner , Ashutosh Kulkarni , Alex Aiken

BibTeX

@MISC{Oliner_communityepidemic,
    author = {Adam J. Oliner and Ashutosh Kulkarni and Alex Aiken},
    title = {Community Epidemic Detection with Syzygy},
    year = {}
}

Bookmark

OpenURL

Abstract

An epidemic is malicious code running on a subset of a community, a homogeneous set of instances of an application. Syzygy is an epidemic detection framework that looks for time-correlated anomalies, i.e., divergence from a model of dynamic behavior. We show mathematically and experimentally that, by leveraging the statistical properties of a large community, Syzygy is able to detect epidemics even under adverse conditions, such as when an exploit employs both mimicry and polymorphism. This work provides a mathematical basis for Syzygy, describes our particular implementation, and tests the approach on a variety of exploits and commodity desktop applications to demonstrate its effectiveness. 1.

Citations

677	Snort - lightweight intrusion detection for networks - Roesch - 1999
564	Bro: A system for detecting network intruders in real-time. Computer Networks - Paxson - 1999
457	A sense of self for unix processes - Forrest, Hofmeyr, et al. - 1996
314	event monitoring enabling responses to anomalous live disturbances - Porras, Neumann - 1997
261	B.: Autograph: Toward automated, distributed worm signature detection - Kim, Karp
245	Intrusion Detection Using Sequences of System Calls - Hofmeyr, Forrest, et al. - 1998
239	Automated worm fingerprinting - Singh, Estan, et al. - 2004
206	Vigilante: end-to-end containment of internet worms - Costa, Crowcroft, et al. - 2005
170	Throttling viruses: Restricting propagation to defeat malicious mobile code - Williamson - 2002
158	P (2002) Mimicry attacks on host-based intrusion detection systems. In: CCS’02: proc of the 9th ACM conf on comp and comm security - Wagner, Soto
146	Alert correlation in a cooperative intrusion detection framework - Miege - 2002
146	Shield: Vulnerability-driven network filters for preventing known vulnerability exploits - Wang, Guo, et al. - 2004
142	Honeycomb - creating intrusion detection signatures using honeypots - Kreibich, Crowcroft - 2003
128	An Architecture for Intrusion Detection using Autonomous Agents - Balasubramaniyan, Garcia-Fernandez, et al. - 1998
126	Probabilistic alert correlation - Valdes, Skinner - 2001
125	Very fast containment of scanning worms - Weaver, Staniford, et al.
122	A taxonomy of computer worms - Weaver, Paxson, et al. - 2003
112	Anomaly detection using call stack information - Feng, Koleshnikov, et al.
107	A neural network component for an intrusion detection system - Debar, Becker, et al. - 1992
107	The SRI IDES statistical anomaly detector - JAVITZ, VALDES - 1991
97	Constructing attack scenarios through correlation of intrusion alerts - NING, CUI, et al.
92	intrusion detection system - Smaha, Haystack - 1988
84	Global Intrusion Detection in the DOMINO Overlay System - Yegneswaran, Barford, et al. - 2004
83	GrIDS - A graph based intrusion detection system for large networks - Staniford-Chen, Cheung, et al. - 1996
83	Automatic misconfiguration troubleshooting with peerpressure - Wang, Platt, et al. - 2004
81	Anomaly detection over noisy data using learned probability distributions - ESKIN
74	Detection of anomalous computer session activity - Vaccaro, Liepins
72	Expert systems in intrusion detection: A case study - Sebring, Shellhouse, et al.
69	the dataflow programming language - Lucid - 1985
66	Alarm correlation - Jakobson, Weissman - 1993
65	Detecting Manipulated Remote Call Streams - Giffin, Jha, et al. - 2002
64	The base-rate fallacy and the difficulty of intrusion detection - Axelsson
58	Alarm correlation and fault identification in communication networks - Bouloutas, Calo, et al. - 1994
55	On the detection of anomalous system call arguments - KRUEGEL, MUTZ, et al. - 2003
41	A behavioral approach to worm detection - Ellis, Aiken, et al. - 2004
40	Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software. Network and Distributed System Security Symposium - Newsome, Brumley, et al. - 2006
39	D.Gray-Box Extraction of Execution Graphs for Anomaly Detection - GAO, REITER, et al. - 2004
30	Software self-healing using collaborative application communities - Locasto, Sidiroglou, et al. - 2005
23	Communication-efficient online detection of network-wide anomalies - Huang, Nguyen, et al. - 2007
22	Behavioral distance for intrusion detection - Gao, Reiter, et al. - 2005
21	Seurat: A pointillist approach to anomaly detection - XIE, KIM, et al. - 2004
19	Communication-Efficient Tracking of Distributed Cumulative Triggers - Huang, Garofalakis, et al. - 2007
14	Host-Based Detection of Worms through Peer-to-Peer Cooperation - Malan, Smith - 2005
13	Worm anatomy and model - Ellis - 2003
9	Protecting against unexpected system calls - Linn, Rajagopalan, et al. - 2005
8	Decentralized event correlation for intrusion detection - Krügel, Toth, et al. - 2002
6	Understanding precision in host based intrusion detection: Formal analysis and practical models - Sharif, Singh, et al. - 2007
6	http://www.dshield.org. DShield—distributed intrusion detection system - Ullrich
5	Sting: An End-to-End Self-Healing System for Defending against Internet Worms, chapter 7 - Brumley, Newsome, et al. - 2007
2	Constructing attack scenarios through correlation of intrusion alerts - King, Mao, et al. - 2002