[Project Closed] From Jun. 2006 to Jun. 2009 @ Department of Information Management, National Taiwan University as PhD student under the supervision of Dr. Yeali S. Sun with the CyLab and School of Computer Science, Carnegie Mellon University as Visiting Scholar under the supervision of Dr. Hui Zhang.
Motivation. A slow-paced attack, such as slow worm or bot, can remain undetectable indefinitely by slowing down the pace of movement. Detecting slow attacks based on traditional anomaly detection techniques may yield high false alarm rates.
Solution. We use time series to model outbound connection attempts of hosts. The regularity of the attack connections remains preserved in the time series and can be observed in the frequency domain. Accordingly, we focus on time series spectrum analysis, and propose a detection method to identify peculiar spectral patterns which can represent the occurrence of a recurring persistent activity in the time domain. We use both synthesized traffic and real-world traffic to evaluate our method. The results show that our method is efficient and effective in detecting slow-paced persistent activities even in a noisy environment with legitimate traffic.
Contribution. 1) This work analyzes the characteristics of slow-paced attacks and legitimate traffic in the frequency domain. 2) The proposed frequency-based method can effectively detect slow-paced attacks, which are difficult to be observed in the time domain. 3) The proposed method is evaluated using both synthesized data set and real-world traffic traces, and the advantages and limitations of the proposed method are fully discussed
- Li-Ming Chen, Shun-Wen Hsiao, Meng Chang Chen, and Wanjiun Liao, “Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum Analysis,” IEEE Systems Journal, issue 99, pp. 1-12, Sept. 2014. (SCI, IF: 1.980)
- Li-Ming Chen, Meng Chang Chen, Yeali S. Sun, Shun-Wen Hsiao, Vyas Sekar, Hui Zhang, “Scalable Long-term Network Forensics for Epidemic Attacks,” in Proc. International Conference on Network and Service Security (N2S ‘09), Paris, France, Jun. 2009, pp. 1-6. (EI)