Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality?

Epidemic-spreading attacks (e.g., worm and botnet propagation) have a natural notion of attack causality – a single network flow causes a victim host to get infected and subsequently spread the attack. This paper is motivated by a simple question regarding the diagnosis of such attacks – is it possible to establish attack-causality through network-level monitoring, without relying on signatures and attack-specific properties? Using the observation that communication patterns of normal hosts are sparse, we posit the hypothesis that it is feasible to uncover attack causality through a combination of host-based anomaly detection and temporal correlation of network events. The contribution of this paper is a systematic exploration of this hypothesis over the spectrum of attack properties and system design options. Our analysis, trace-driven experiments, and real prototype based study suggest that it is feasible to establish attack causality accurately using anomaly detection and temporal event correlation in enterprise network environments with tens of thousands of hosts.