Integrated detection of active worms using multi-sensor data fusion and collaborative network defense

Fast spreading malicious worms have been known to cause severe havoc on networks they attack. Developing adequate detection and defense mechanisms against such worms with minimal false detection rates and optimized accuracy is therefore of keen interest. Modeling the behavior of fast worm detection and defense techniques to better understand and measure their effectiveness is crucial to developing effective defenses. Detection of slow scanning worms is also known to be particularly difficult due to the stealthy nature of slow worm propagation and their ability to blend with normal traffic patterns. The speed of fast scanning worms and the stealthiness of slow scanning worms pose unique challenges to malicious worm detection and defense.;Typically, techniques optimized for detecting fast scanning worms fail to detect slow scanning worms, and vice versa. While malicious traffic flows of varying scanning rates can occur concurrently in computer networks, the difficulty in detecting slow worms is exacerbated by interference from other traffic flows scanning at faster rates. This thesis formulates the problem of slow worm detection to include detection of faster scanning malicious traffic and filtering of traffic profiles associated with detected fast worms to isolate the malicious slow worms. This insight led to the development of a novel GEP theory-based integrated detection technique for detecting both fast and slow scanning malicious worm activity even when they occur concurrently in a target computer network.;This thesis develops a novel distributed detection and collaborative containment technique which we refer to as the EDANC (Endpoint Detection And Network Containment) technique for defending against fast spreading worms. The EDANC detection and correlation engine is based on the Generalized Evidence Processing (GEP) theory, a decision level multi-sensor data fusion technique. With GEP theory, evidence collected by distributed detectors determines the probability associated with a detection decision under a hypothesis. Several pieces of evidence are combined to arrive at an improved fused decision by minimizing a cummulative decision risk function. The EDANC scheme also employs automated collaborative network-centric containment for worm defense. Further, this thesis develops the Analytical Active Worm Containment (AAWC) model, a novel non-deterministic discrete-time model used to model vulnerable host population protected as a result of the EDANC collaborative defense mechanism in a large scale network. Analysing the AAWC model alongside a known discrete-time worm propagation model, this thesis demonstrates quantitatively the effectiveness of the EDANC technique in defending against large scale fast spreading scanning worm attacks.