Detection of slow malicious worms using multi-sensor data fusion

Abstract: Abstract-Detection of slow worms is particularly challenging due to the stealthy nature of their propagation techniques and their ability to blend with normal traffic patterns. In this paper, we propose a distributed detection approach based on the Generalized Evidence Processing (GEP) theory, a sensor integration and data fusion technique. With GEP theory, evidence collected by distributed detectors determine the probability associated with a detection decision under a hypothesis. The collected evidence is co… Show more

“…GEP theory is known to have advantages over the two major evidence combining theories that have dominated the field of distributed evidence processing -the Bayesian theory and the Dempster-Shafer theory. As far as our literature survey revealed, and to the best of our knowledge we were the first in [4] to use the GEP theory as a theoretical foundation for intrusion detection of malicious traffic in computer networks.…”

“…The first contribution of this thesis to the state of the art is the novel use of the Generalized Evidence Processing (GEP) theory, a decision level multi-sensor data fusion technique for detection of malicious intrusions. Other decision level multi-sensor data fusion techniques, such as the Bayesian theory and the Dempster-Shafer theory have been used in the past as theoretical foundations for intrusion detection, but as far as our literature survey revealed, and to the best of our knowledge, we were the first in [4] to use the GEP theory as a theoretical foundation for intrusion detection of malicious traffic in computer networks. We developed and analysed our novel Endpoint Detection And Network Containment (EDANC) approach for distributed detection and collaborative defense against fast spreading worms.…”

“…4 shows that while the AAWP model shows steady growth in infected population with time, the AAWC model shows an even greater growth in the number of protected hosts due to collaborative containment in the network. A perimeter is created on a gateway router or upstream router after a containment action is taken thus preventing further direct scans.For a scanning worm attack, successful direct worm scans are stopped when the number of protected hosts (modeled using AAWC model) exceed the number of directly scanned hosts (modeled using AAWP model), thus preventing further increase in the number of hosts infected by direct scans (seeFig.…”

Integrated detection of active worms using multi-sensor data fusion and collaborative network defense

“…GEP theory is known to have advantages over the two major evidence combining theories that have dominated the field of distributed evidence processing -the Bayesian theory and the Dempster-Shafer theory. As far as our literature survey revealed, and to the best of our knowledge we were the first in [4] to use the GEP theory as a theoretical foundation for intrusion detection of malicious traffic in computer networks.…”

“…The first contribution of this thesis to the state of the art is the novel use of the Generalized Evidence Processing (GEP) theory, a decision level multi-sensor data fusion technique for detection of malicious intrusions. Other decision level multi-sensor data fusion techniques, such as the Bayesian theory and the Dempster-Shafer theory have been used in the past as theoretical foundations for intrusion detection, but as far as our literature survey revealed, and to the best of our knowledge, we were the first in [4] to use the GEP theory as a theoretical foundation for intrusion detection of malicious traffic in computer networks. We developed and analysed our novel Endpoint Detection And Network Containment (EDANC) approach for distributed detection and collaborative defense against fast spreading worms.…”

“…4 shows that while the AAWP model shows steady growth in infected population with time, the AAWC model shows an even greater growth in the number of protected hosts due to collaborative containment in the network. A perimeter is created on a gateway router or upstream router after a containment action is taken thus preventing further direct scans.For a scanning worm attack, successful direct worm scans are stopped when the number of protected hosts (modeled using AAWC model) exceed the number of directly scanned hosts (modeled using AAWP model), thus preventing further increase in the number of hosts infected by direct scans (seeFig.…”

Integrated detection of active worms using multi-sensor data fusion and collaborative network defense

A scalable network forensics mechanism for stealthy self-propagating attacks