IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Suggestions

From: "Ed Donegan" <danceslikewhiteguy () hotmail com>
Date: Thu, 03 Jun 2004 12:14:26 -0700
There is indeed a difference. In suggestig Pearson, I am suggesting each "object" be a compound signature for an event, such as a spefic attack or patch distribution. Files modified, proccess lauched, network ports opened, time window of event, strings contained, groups or "scatter" of servers touched, all be weighed used the pearson product moment correlation co-efficient to analyze whether based on the totality of the data points, does it look (correlate) more like 1) A known virus, 2) A variant virus with only most data points in common, or 3) do the data points instead, correlate more closely with SMS or administration activity.
The general idea of Pearson is that an object, like a line, can be descibed by a series of data points. If the data points match the line along its length closely, it has a strong correlation. Co-variance, differences in the data points, weaken the correlation.
So lets say Discriptor X is tripped because four specific files got modified, and Descriptor X is a signature for a virus that modifies those same four files. So it has a strong correlation, four data points match. On the other hand, Descriptor Y (an SMS distribution of a known patch) has a stronger correlation co-efficient, because there are also matches for a the group of servers touched (marketing,) the source of the changes (IP address of the SMS server for marketing,) and the patch that went through change control is also known to modify those four same files, and the event occured during the change control window. The SMS account was also utilized.
So by correlating the entire event, based on multiple data points including data out the network and administration environment, a false positive is avoided because a stronger correlation exists with something else. On the other hand, a false negative may be avoided later because the variant may have much in common with a known virus.
The srength of the correlation is the correlation co-efficient, which could be weighted or tuned per data point. 
From: "Rishi Pande" <rpande () vt edu>
To: "'Ed Donegan'" <danceslikewhiteguy () hotmail com>
CC: <focus-ids () securityfocus com>
Subject: RE: Suggestions
Date: Thu, 3 Jun 2004 10:21:03 -0400

My very basic knowledge of the Pearson's coefficient leads me to believe
that there is not much similar between spatial autocorrelation and the
Pearson's coefficient.
Pearson's coefficient measures the relation between two variables on the
same object.
Spatial autocorrelation, on the other hand, measures the correlation between the instances of the effect under measurement (in my case, instances of worm 
occurrences) with respect to 2-D space. We considered geographical and
topological orientations for the space.
My work was more focused on helping to predict the spread of a worm.
Actually bringing it into implementation will involve multiple
characteristics coming into play including some you mentioned. However
during design of the implementation product, I concentrated on network level 
issues for detection of an intrusion: dramatic rise of traffic on a port,
high number of small transmissions from outside networks, etc. We also
thought about opening a second "emergency" line of communication to a global 
warning source such as CERT, D-shield, etc.
Rishi

-----Original Message-----
From: Ed Donegan [mailto:danceslikewhiteguy () hotmail com]
Sent: Wednesday, June 02, 2004 7:13 PM
To: rpande () vt edu; thiagoguzella () yahoo com br
Cc: focus-ids () securityfocus com; uzurutuza () eps mondragon edu;
TheTom () UnixIsNot4Dummies ORG; clint () secureconsulting com;
stefano.zanero () ieee org; whitty () reeve com; mark.runion () us army mil
Subject: Re: Suggestions

I wasn't able to drag down the PDF yet, but I presume it used the pearson
product moment correlation co-efficient?  Mots embarassig, I posted the
wrong version earlier, more verbose, less technical, but does this technique 

use multiple data points to describe an event (ie proccess launched, files
touched,) then measure the "goodness of fit" to the event and the data
points in a correlation co-efficient?  This is what I believe is the more
technicial definition of correlation lays, but as far as tayloring it for
utility, I have seen numerous variations.


>From: Rishikesh Pande <rpande () vt edu>
>To: Thiago dos Santos Guzella <thiagoguzella () yahoo com br>
>CC: focus-ids () securityfocus com,
>uzurutuza () eps mondragon edu,TheTom () UnixIsNot4Dummies ORG,
>clint () secureconsulting com,stefano.zanero () ieee org, whitty () reeve com,
>mark.runion () us army mil
>Subject: Re: Suggestions
>Date: Sat, 29 May 2004 16:05:53 -0400
>
>You may want to take a look at my thesis
>(http://scholar.lib.vt.edu/theses/available/etd-05182004-085925/). I used
>spatial autocorrelation- a measure from plant epidemiology to look at the
>spread of computer network worms. The thesis is kind of long , but you may 
>want to read the Introduction and then skip over to chapter 4. If you can
>wait a month or so, I am presenting some of my work at SANSFIRE- Monterey. 
>    Rishi
>
>
>---------------------------------------------------------------------------
>
>---------------------------------------------------------------------------
>

_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/


---------------------------------------------------------------------------

---------------------------------------------------------------------------



_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ 


---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: