Detection of slow malicious worms using multi-sensor data fusion

摘要

Detection of slow worms is particularly challenging due to the stealthy nature of their propagation techniques and their ability to blend with normal traffic patterns. In this paper, we propose a distributed detection approach based on the Generalized Evidence Processing (GEP) theory, a sensor integration and data fusion technique. With GEP theory, evidence collected by distributed detectors determine the probability associated with a detection decision under a hypothesis. The collected evidence is combined to arrive at an optimal fused detection decision by minimizing a cummulative decision risk function. Typically, malicious traffic flows of varying scanning rates can occur in the wild, and the difficulty in detecting slow scanning worms in particular can be exacerbated by interference from other traffic flows scanning at faster rates. Our proposed detection technique uses a window-based self adapting profiler to filter detected malicious traffic profiles with scanning rates greater than the low scanning rates we are interested in. Experiments on a live test-bed are used to demonstrate behavior of the technique.