Detection of slow worms is particularly challenging due to the stealthy nature of their propagation techniques and their ability to blend with normal traffic patterns. In this paper, we propose a distributed detection approach based on the Generalized Evidence Processing (GEP) theory, a sensor integration and data fusion technique. With GEP theory, evidence collected by distributed detectors determine the probability associated with a detection decision under a hypothesis. The collected evidence is combined to arrive at an optimal fused detection decision by minimizing a cummulative decision risk function. Typically, malicious traffic flows of varying scanning rates can occur in the wild, and the difficulty in detecting slow scanning worms in particular can be exacerbated by interference from other traffic flows scanning at faster rates. Our proposed detection technique uses a window-based self adapting profiler to filter detected malicious traffic profiles with scanning rates greater than the low scanning rates we are interested in. Experiments on a live test-bed are used to demonstrate behavior of the technique.

Additional Metadata
Keywords Anomaly detection, Data fusion, Optimal decision, Worms
Persistent URL dx.doi.org/10.1109/CISDA.2009.5356557
Conference IEEE Symposium on Computational Intelligence for Security and Defense Applications, CISDA 2009
Citation
Akujobi, F. (Frank), Lambadaris, I, & Kranakis, E. (2009). Detection of slow malicious worms using multi-sensor data fusion. Presented at the IEEE Symposium on Computational Intelligence for Security and Defense Applications, CISDA 2009. doi:10.1109/CISDA.2009.5356557