[Nrg-l] NRG on Monday November 1st MCS135@4:00pm

Niky Riga inki at cs.bu.edu
Tue Oct 26 13:00:51 EDT 2004


Hi,
Next week, NRG will be hosting Jaeyeon Jung. She is a Ph.D. student at 
MIT, working at the Computer Science and Artificial Intellegence 
Laboratory. She is working on Network Security issues. The title and 
abstract of the talk follow. If someone wants to meet with her (either 
1-on-1 or in a group), please let me know.

Regards,
Niky

====================================================================

Title: Threshold Random Walk: its theory and applications to portscan
detection and fast detection of scanning worm infections.

Papers are linked at http://nms.lcs.mit.edu/~jyjung/

Speaker: Jaeyeon Jung (Ph.D. student at MIT Computer Science and
Artificial Intelligence Laboratory)

Abstract:
Attackers routinely perform random "portscans" of IP addresses to find
vulnerable servers to compromise. Network Intrusion Detection Systems 
(NIDS)
attempt to detect such behavior and flag these portscanners as malicious. An
important need in such systems is  prompt response: the sooner a NIDS 
detects malice,
the lower the resulting damage. At the same time, a NIDS should not 
falsely implicate
benign remote hosts as malicious. Balancing the goals of promptness and 
accuracy
in detecting malicious scanners is a delicate and difficult task. We 
develop a
connection between this problem and the theory of sequential hypothesis 
testing
and show that one can model accesses to local IP addresses as a random 
walk on
one of two stochastic processes, corresponding respectively to the 
access patterns
of benign remote hosts and malicious ones. The detection problem then 
becomes one
of observing a particular trajectory and inferring from it the most likely
classification for the remote host. We use this insight to develop TRW
(Threshold Random Walk), an on-line detection algorithm that identifies 
malicious
remote hosts. Using an analysis of traces from two qualitatively 
different sites,
we show that TRW requires a much smaller number of connection attempts
(4 or 5 in practice) to detect malicious activity compared to previous
schemes, while also providing theoretical bounds on the low (and 
configurable)
probabilities of missed detection and false alarms. In summary, TRW 
performs
significantly faster and also more accurately than other current solutions.
-- 
Use a smile as your shield. It will protect u better than cruelty in 
return will.


More information about the Nrg-l mailing list