On May 15, 2007, SDForumâ€™s Business Intelligence SIG presented a talk on Distributed Bayesian Worm Detection by Intel’s John Mark Agosta.
Agostaâ€™s interest in Bayesian network methods goes back to his Engineering-Economic doctorate days at Stanford. At SRI, he automated planning for emergency response, air campaigns for the USAF, alarm filter models for utilities, and most importantly detectors for computer network intrusion. He became CTO at Knowledge Industries building Bayes networks for medicine, avionics and automobile systems. At Edify Corporation he automated CRMs by using statistical language methods to respond to customer inquiries. He currently develops diagnostic, optimization and statistical models at Intel.
How do you find worms? Gossip. Agosta thinks a distributed Bayesian approach is an important part of security applications. By distributing detection and inference, collaborating hosts are more accurate than detection alone. Agosta showed the advantages of combining machine learning and epidemic-style messaging. A classifier acts as a traffic predictor quickly finding worms hiding in normal traffic. Worms can no longer hide in the gaps. Intel may add Agostaâ€™s approach to their hardware in their Active Management Technology (AMT) release.
Agosta intends to shrink the gaps that worms hide in on a network. Idle machines on the network are put to work looking for anomalies. Each part of the network can sense what it thinks is worm behavior. If it is set to a very sensitive level it will send out lots of false positives. If enough parts send enough signals any disturbance will set off an alarm.
Basically this is a motion detector for worms. Worms have to move and when they do, they make noise. This noise is aggregated and examined. The worms can be caught before they infect more than ten percent of a network. Combined with other strategies this could be a valuable tool fighting worms.
Copyright 2007 DJ Cline All rights reserved.