Community Epidemic Detection with Syzygy

摘要: Abstract An epidemicis malicious code running on a subset of community,a homogeneous set instances an application. Syzygy is epi-demic detection framework that looks for time-correlated anoma-lies, i.e., divergence from model dynamic behavior. We showmathematically and experimentally that, by leveraging the statisti-cal properties large community, able to detect epi-demics even under adverse conditions, such as when exploit em-ploys both mimicry polymorphism. This work provides math-ematical basis Syzygy, describes our particular implementation,and tests approach variety exploits commodity desk-top applications demonstrate its effectiveness. 1. Introduction paper focuses detecting class security breaches, zero-day infection rapidly propagating worm or coordinated attack.While signature-based methods well-known exploits, fastdetection new still serious problem in practice.A limiting behavior-based distinguishingcorrect, healthy, system behavior malicious, infected,behavior, because it hard identify exactly correct behaviorsof realistic applications. Either some rare, but legitimate, behavioris missing (correct executions raise alerts), themodel overestimates behaviors (real attacks maynot generate both.We present detector monitorsa application (e.g.,all Firefox browsers department’s network), anddecides there likely epidemic, meaning one moreof are infected. Our two main insightsare (i) if single noisy cannot reliably judgethe health client, we can reduce noise averaging thejudgements many independent models (ii) epidemics exhibittime-correlated impossible singleclient. effectively leverages thestatistical community turn modelsinto reliable detectors uses rapid spread anepidemic means better it.Syzygy keeps track recent anomaly scores each client,quantifying similarity between historicalbehavior client. For example, strange sequence systemcalls might cause client report score above average(anomalous). then computes numerical average allclients’ checks whether this athreshold. By doing these computations properly (see Section 3),we make strong theoretical guarantees about ability toovercome epidemics. Intuitively, shouldexpect anomalies individual clients becommon, should not expect multipleclients be strongly correlated time, absent epidemic.Say using protect cam-pus network consider following example attack scenario.A begins infecting via covert channel (noinformation communication available). After infection, thebrowser loads web pages, smart enoughto perform actions differently (polymor-phism) way somewhat similar normal browsing(mimicry). The does find tobe very surprising would fail singleclient: reports slightly average. Inaggregate, however, infected scoreabove threshold detects epidemic.The has several desirable properties: