Home  |   Login  |   Logout  |   Access Information  |   Alerts  |   Purchase History  |   Cart  |   Sitemap  |   Help   
 
Abstract
BROWSE SEARCH IEEE XPLORE GUIDE SUPPORT
arrow_leftView TOC
Email/Printer Friendly Format  
 

Detecting Malware Outbreaks Using a Statistical Model of Blackhole Traffic
Soltani, S.   Ali Khayam, S.   Radha, H.  
Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI;

This paper appears in: Communications, 2008. ICC '08. IEEE International Conference on
Publication Date: 19-23 May 2008
On page(s): 1593-1597
Location: Beijing,
ISBN: 978-1-4244-2075-9
INSPEC Accession Number: 10041371
Digital Object Identifier: 10.1109/ICC.2008.308
Current Version Published: 2008-05-30

Abstract
Internet blackholes have emerged as very effective tools for monitoring changes in the Internet's traffic behavior. Prior studies have shown that traffic observed at a blackhole contains valuable information about emerging malware. While blackhole traffic has been effectively used for attack forensics, a systematic method of leveraging this traffic for online Internet- scale anomaly detection is not available. In this paper, we propose a novel technique to detect malware outbreaks using deviations in a robust statistical model of a blackhole's traffic. First, we introduce a novel and accurate Piecewise Poisson process Model (PPM) of traffic observed at an Internet Motion Sensor (IMS) blackhole which provides a statistical quantification of the intensity or rate of incoming traffic at a blackhole, which can in turn be used to detect malware outbreaks. After establishing the accuracy of the proposed PPM model, we develop a regression model that can characterize variations in the PPM's traffic rates. Once an accurate model of traffic rates is in place, malware outbreaks can be detected using deviations from the model's likely statistical patterns. After removing simple deterministic patterns, we observe that a blackhole's traffic rate residuals have a skewed and heavy-tailed behavior. Consequently, we employ a stable distribution that models variations in traffic rate residuals with very high accuracy. Finally, we propose an online detection mechanism that utilizes deviations from the rate residual distribution of blackhole traffic data to detect malware outbreaks. Experimental results using the IMS data for approximately one year show that the proposed mechanism accurately detects malware outbreaks in a timely manner.

Index Terms
Available to subscribers and IEEE members.

References
Available to subscribers and IEEE members.
Citing Documents
Available to subscribers and IEEE members.
You are not logged in.
Guests may access Abstract records free of charge.
Login
Username
Password
» Forgot your password?
Please remember to log out when you have finished your session.
You must log in to access:
• Advanced or Author Search
• CrossRef Search
• AbstractPlus Records
• Full Text PDF
• Full Text HTML
Access this document
Full Text: PDF (156 KB)
» Buy this document now
»  Learn more about
»  Learn more about
    purchasing articles
    and standards

Rights and Permissions
» Learn More
Download this citation
Available to subscribers and IEEE members.
 
arrow_leftView TOC   |  Back to toparrow_up
Indexed by IEE Inspec
© Copyright 2009 IEEE – All Rights Reserved