Abstract
This paper develops a new approach for detecting self-propagating email viruses based on statistical anomaly detection. Our approach assumes that a key objective of an email virus attack is to eventually overwhelm mail servers and clients with a large volume of email traffic. Based on this assumption, the approach is designed to detect increases in traffic volume over what was observed during the training period. This paper describes our approach and the results of our simulation-based experiments in assessing the effectiveness of the approach in an intranet setting. Within the simulation setting, our results establish that the approach is effective in detecting attacks all of the time, with very few false alarms. In addition, attacks could be detected sufficiently early so that clean up efforts need to target only a fraction of the email clients in an intranet.
This research was supported in part by NSF under grant CCR-0098154 and the Defense Advanced Research Agency (DARPA) under contract number N66001-00-C-8022.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CERT/CC Co-ordination Center Advisories, Carnegie Mellon (1988-1998), http://www.cert.org/advisories/index.html
Spafford, E.H.: The Internet worm program: an analysis, Tech. Report CSD-TR-823, Department of Computer Science, Purdue University (1988)
Lane, T., Brodley, C.E.: Temporal Sequence Learning and Data Reduction forAnomaly Detection. ACM Transactions on Information and System Security (1998)
Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A., Garvey, T.: A real-time intrusion detection expert system (IDES) - final technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California (February 1992)
Heberlein, T., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wobler, D.: A Network Security Monitor. In: Proceedings IEEE Symposium on Research in Computer Security and Privacy (1990)
Schultz, M., Eskin, E., Stolfo, S.J.: Malicious Email Filter -AUNIX Mail Filter that Detects Malicious Windows Executables. In: Proceedings of USENIX Annual Technical Conference (2001)
Kephart, J.O., White, S.R.: Directed-graph Epidemiological Models of ComputerViruses, IBM T.J. Watson Research Center. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 343–359 (1991)
Kephart, J.O., Chess, D.M., White, S.R.: Computers and Epidemiology, IBM T.J.Watson Research Center. IEEE Spectrum (May 1993)
Kephart, J.O., Sorkia, G.B., Swimmer, M., White, S.R.: Blueprint for a Computer Immune System. Technical report, IBM T.J. Watson Research Center, Yorktown Heights, New York (1997)
Wang, C., Knight, J.C., Elder, M.C.: On Computer Viral Infection and the Effect of Immunization, Department of Computer Science, University of Virginia, ACSAC (2000)
Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency, IBM Research, Zurich Research Laboratory, ACSAC (2001)
Staniford, S.: Analysis of spread of July infestation of the Code Red worm, UC Davis, http://www.silicondefense.com/cr/july.html
Anderson, D., Lunt, T., Javitz, H., Tamaru, A., Valdes, A.: Next-generation Intrusion Detection Expert System (NIDES): A Summary, SRI-CSL-95-07, SRI International (1995)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Usenix Security Symposium (2002)
Jorgensen, J., Rossignol, P., Takikawa, M., Upper, D.: Cyber Ecology: Looking to Ecology for Insights into Information Assurance. In: DISCEX 2001, Proceedings, vol. 2 (2001)
Taylor, C., Alves-Foss, J.: NATE, Network Analysis of Anomalous Traffic Events. In: A Low-cost Approach, New Security Paradigms Workshop (2001)
Bhattacharyya, M., Hershkop, S., Eskin, E., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Workshop on New Security Paradigms (2002) (NSPW-2002)
Lin, M.-J., Ricciardi, A.M., Marzullo, K.: A New Model for Availability in the Face of Self-Propagating Attacks. In: Workshop on New Security Paradigms (1998)
Lee, W., Stolfo, S.J., Mok, K.: AData Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy (1999)
Faloutsos, M., Faloutsos, P., Faloutsos, C.: On Power-Law Relationships of the Internet. ACM SIGCOMM (1999)
Schultz, M.G., Eskin, E., Zadok, E.: Data Mining Methods for Detection of New Malicious Executables. In: IEEE Symposium on Security and Privacy (May 2001)
Whalley, I., Arnold, B., Chess, D., Morar, J., Segal, A., Swimmer, M.: An Environment for Controlled Worm Replication and Analysis. IBM TJWatson Research Center (September 2000)
Heberlein, L., et al.: ANetwork Security Monitor. In: Symposium on Research Security and Privacy (1990)
Hochberg, J., et al.: NADIR:AnAutomated System for Detecting Network Intrusion and Misuse. Computers and Security 12(3) (May 1993)
Lee, W., Stolfo, S.: Data Mining Approaches for Intrusion Detection. In: USENIX Security Symposium (1998)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. In: USENIX Security Symposium (1998)
Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabled Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (1997)
Inc. Network Flight Recorder. Network flight recorder (1997), http://www.nfr.com
Vigna, G., Kemmerer, R.: NetSTAT:A Network-based Intrusion Detection Approach. In: Computer Security Applications Conference (1998)
Vigna, G., Eckmann, S.T., Kemmerer, R.: The STAT Tool Suite. In: Proceedings of DISCEX 2000, IEEE Press, Los Alamitos (2000)
Staniford-Chen, S., et al.: GrIDS: A Graph-Based Intrusion Detection System for Large Networks. In: Proceedings of the 19th National Information Systems Security Conference, Baltimore (1996)
Forrest, S., Hofmeyr, S., Somayaji, A.: Computer Immunology. Comm. of ACM 40(10) (1997)
Ghosh, A., Schwartzbard, A., Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. In: 1st USENIX Workshop on Intrusion Detection and Network Monitoring (1999)
Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A Fast Automaton-Based Approach for Learning Program Behaviors. In: IEEE Symposium on Security and Privacy (2001)
Stolfo, S.J., Hershkop, S., Wang, K., Nimeskern, O., Hu, C.-W.: Behavior Profiling of Email. Submitted to 1st NSF/NIJ Symposium on Intelligence and Security Informatics (ISI 2003).
Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based anomaly detection: a new approach for detecting network intrusions. In: ACM Computer and Communication Security Conference (2002)
Sekar, R., Guang, Y., Shanbhag, T., Verma, S.: A High-Performance Network Intrusion Detection System. In: ACM Computer and Communication Security Conference (1999)
Sekar, R., Uppuluri, P.: Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications. In: USENIX Security Symposium (1999)
Zou, C.C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: ACM Computer and Communication Security Conference (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gupta, A., Sekar, R. (2003). An Approach for Detecting Self-propagating Email Using Anomaly Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive