Community Epidemic Detection using Time-Correlated Anomalies

Community Epidemic Detection using Time-Correlated Anomalies
Adam Oliner

Citation
Adam Oliner. "Community Epidemic Detection using Time-Correlated Anomalies". Talk or presentation, 10, November, 2010.

Abstract
An epidemic is malicious code running on a subset of a community, a homogeneous set of instances of an application. Syzygy is an epidemic detection framework that looks for time-correlated anomalies, i.e., divergence from a model of dynamic behavior. We show mathematically and experimentally that, by leveraging the statistical properties of a large community, Syzygy is able to detect epidemics even under adverse conditions, such as when an exploit employs both mimicry and polymorphism. This work provides a mathematical basis for Syzygy, describes our particular implementation, and tests the approach with a variety of exploits and on commodity server and desktop applications to demonstrate its effectiveness.

Electronic downloads

12%20-%20Oliner%20%28Stanford%29.pdf · application/nappdf · 478 kbytes

Citation formats

HTML

Adam Oliner. <a
href="http://www.truststc.org/pubs/766.html"
><i>Community Epidemic Detection using
Time-Correlated Anomalies</i></a>, Talk or
presentation,  10, November, 2010.

Plain text

Adam Oliner. "Community Epidemic Detection using
Time-Correlated Anomalies". Talk or presentation,  10,
November, 2010.

BibTeX

@presentation{Oliner10_CommunityEpidemicDetectionUsingTimeCorrelatedAnomalies,
    author = {Adam Oliner},
    title = {Community Epidemic Detection using Time-Correlated
              Anomalies},
    day = {10},
    month = {November},
    year = {2010},
    abstract = {An epidemic is malicious code running on a subset
              of a community, a homogeneous set of instances of
              an application. Syzygy is an epidemic detection
              framework that looks for time-correlated
              anomalies, i.e., divergence from a model of
              dynamic behavior. We show mathematically and
              experimentally that, by leveraging the statistical
              properties of a large community, Syzygy is able to
              detect epidemics even under adverse conditions,
              such as when an exploit employs both mimicry and
              polymorphism. This work provides a mathematical
              basis for Syzygy, describes our particular
              implementation, and tests the approach with a
              variety of exploits and on commodity server and
              desktop applications to demonstrate its
              effectiveness.},
    URL = {http://www.truststc.org/pubs/766.html}
}

Posted by Larry Rohrbough on 7 Dec 2010.
Groups: trust
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.