Distributed Detection of New Virus Threats in Large Scale Networks

Distributed Detection of New Virus Threats in Large Scale Networks


	Bio / Resume \| Research \| Papers \| Statement of Purpose

Distributed Detection of New Virus Threats in Large Scale Networks
Joshua Hailpern
Advisor: Benoit Morel
Carnegie Mellon University
Senior Thesis Research

ABSTRACT

The goal of this research is to explore the possibility of extending ideas proposed by von Neumann in the paper Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components, to build a very large scale intrusion detector system able to detect new cyber-attacks with higher reliability than the “sum” of its components. The proposal is to build an information processor made of many components networked in such a way that the probability of false positive and false negative is smaller than its individual components.

The first phase of the work consisted of familiarization with the details of the original paper. Von Neumann describes a system of "organs" in a nervous system. These "organs" (not like a heart or lungs, but rather a term to describe a small unit) have some chance of misfiring, epsilon. As a result, his paper discusses a method of merging this data together so as to reduce the effect of "faulty" data. In addition, his paper addresses the issue of different messages being detected by different sensors. Von Neumann provides a method for combining this information by using properties of large numbers to find the "true state" of the system.

We are investigating whether or not Von Neumann's nervous system design can be applied to anti-virus detection. Unlike the nervous network proposed by Von Neumann to transmit a single, binary signal, the proposed virus detection network must make affordances for other critical pieces of data; multiple viruses/different signatures, time discrepancy, and virus spread. In our paper, we investigate possible solutions to these aspects of the application of Von Neumann’s work to that of a virus detection network.
The most recent phase of the work consisted of an in-depth study of the world of anomalies (the main mechanism for that kind of detection), and in particular system calls. We wished to understand how detectors using system calls can exchange information in such a way that their aggregated probability of false positive and false negative is much smaller than their individual probabilities of false positive and false negative.

Final Paper <download pdf>

Final Presentation <download keynote slides> <watch video>