Team for Research in
Ubiquitous Secure Technology

Community Epidemic Detection using Time-Correlated Anomalies
Adam Oliner

Citation
Adam Oliner. "Community Epidemic Detection using Time-Correlated Anomalies". Talk or presentation, 10, November, 2010.

Abstract
An epidemic is malicious code running on a subset of a community, a homogeneous set of instances of an application. Syzygy is an epidemic detection framework that looks for time-correlated anomalies, i.e., divergence from a model of dynamic behavior. We show mathematically and experimentally that, by leveraging the statistical properties of a large community, Syzygy is able to detect epidemics even under adverse conditions, such as when an exploit employs both mimicry and polymorphism. This work provides a mathematical basis for Syzygy, describes our particular implementation, and tests the approach with a variety of exploits and on commodity server and desktop applications to demonstrate its effectiveness.

Electronic downloads

Citation formats  
  • HTML
    Adam Oliner. <a
    href="http://www.truststc.org/pubs/766.html"
    ><i>Community Epidemic Detection using
    Time-Correlated Anomalies</i></a>, Talk or
    presentation,  10, November, 2010.
  • Plain text
    Adam Oliner. "Community Epidemic Detection using
    Time-Correlated Anomalies". Talk or presentation,  10,
    November, 2010.
  • BibTeX
    @presentation{Oliner10_CommunityEpidemicDetectionUsingTimeCorrelatedAnomalies,
        author = {Adam Oliner},
        title = {Community Epidemic Detection using Time-Correlated
                  Anomalies},
        day = {10},
        month = {November},
        year = {2010},
        abstract = {An epidemic is malicious code running on a subset
                  of a community, a homogeneous set of instances of
                  an application. Syzygy is an epidemic detection
                  framework that looks for time-correlated
                  anomalies, i.e., divergence from a model of
                  dynamic behavior. We show mathematically and
                  experimentally that, by leveraging the statistical
                  properties of a large community, Syzygy is able to
                  detect epidemics even under adverse conditions,
                  such as when an exploit employs both mimicry and
                  polymorphism. This work provides a mathematical
                  basis for Syzygy, describes our particular
                  implementation, and tests the approach with a
                  variety of exploits and on commodity server and
                  desktop applications to demonstrate its
                  effectiveness.},
        URL = {http://www.truststc.org/pubs/766.html}
    }
    

Posted by Larry Rohrbough on 7 Dec 2010.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.