Detection & Containment of Computer Epidemics Through Correlation of Communication Anomalies

This Phase I SBIR project investigates the detection and mitigation of fast-spreading computer infections that we call network epidemics. We wish to avoid packet payload inspection for several reasons. For one, increasing use of encrypted communication makes it impossible to interpret the payload. Further, payload anomaly analysis introduces delays that can be unacceptable when stopping fast-spreading epidemics. In our project, detection of a network epidemic is based upon communication anomalies and the detection of similar shifts in behavior in a very large number of machines across the network. It is our hypothesis that epidemics can be detected by analyzing just communication patterns of the machines, without reference to packet payloads. Innovations of our approach include efficient traffic summaries that can store traffic data indefinitely. We also include sophisticated correlation features that make it possible to detect shifts in behavior of many machines across an entire network. Both exponential and slow spreading epidemics are discovered using this approach. The approach also generates filters for the traffic that spreads the infection thereby providing a defense. In Phase I, we validate the approach with a proof of concept prototype, and analyze the scalability issues of the approach to larger and faster networks.