Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

Community Epidemic Detection using Time-Correlated Anomalies

Summary: Community Epidemic Detection using
Time-Correlated Anomalies
Adam J. Oliner, Ashutosh V. Kulkarni, and Alex Aiken
Stanford University
{oliner, ashutosh.kulkarni, aiken}@cs.stanford.edu
Abstract. An epidemic is malicious code running on a subset of a com-
munity, a homogeneous set of instances of an application. Syzygy is an
epidemic detection framework that looks for time-correlated anomalies,
i.e., divergence from a model of dynamic behavior. We show mathemat-
ically and experimentally that, by leveraging the statistical properties
of a large community, Syzygy is able to detect epidemics even under
adverse conditions, such as when an exploit employs both mimicry and
polymorphism. This work provides a mathematical basis for Syzygy, de-
scribes our particular implementation, and tests the approach with a
variety of exploits and on commodity server and desktop applications to
demonstrate its effectiveness.
Keywords: epidemic detection, anomalies, community
1 Introduction
Consider a set of instances of an application, which we call a community. Two
examples of communities are all the mail servers in an organization or all the


Source: Aiken, Alex - Department of Computer Science, Stanford University


Collections: Computer Technologies and Information Sciences