SCS Undergraduate Thesis Topics
|Joshua Hailpern||Benoit Morel||Distributed Detection of New Virus Threats in Large Scale Networks|
The goal of this research was to explore the possibility of extending the ideas exposed by John von Neumann in the paper Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components to build a very large scale intrusion detector system able to detect new cyber-attacks with higher reliability than its components. Specifically, the objective of this project was to design an information processor made of many components networked in such a way that the probability of false positive and false negative is smaller than is the case of the components. The first phase of the work consisted of familiarization with the details of the paper. Von Neumann described a system of "organs" in a nervous system. These "organs" were unlike their analogues, the heart or lungs. Rather the term described a small unit or component. Each organ had some chance of misfiring, termed epsilon. As a result, von Neumann's paper discussed a method of merging data together from a variety of organs so as to reduce the effect of "faulty" data. In addition, his paper addressed the issue of different messages being detected by different sensors. Von Neumann provided a method for combining this information by using properties of large numbers to find the "true state" of the system.
We are currently investigating whether von Neumann's nervous system structure can be applied to anti-virus detection. Unlike the nervous network established by von Neumann to transmit a single, binary single, the proposed virus detection network must make affordances for other critical pieces of data: multiple viruses/different signatures, time discrepancy, and virus spread. In our paper, we investigate possible solutions to these aspects of the application of von Neumann's work to that of a virus detection network.
In particular, a virus detection system must make more contact with the world of anomaly (the main mechanism for that kind of detection), as realized by operating system calls. The main idea is to examine how detectors using such system calls can exchange information so that their aggregated probability of false positive and false negative is much smaller than their corresponding individual probabilities.