Here we present a set of results that highlight the advantages of the system we are proposing. Results are based on data collected from a set of 37 machines over a five-week period. The specific LDs used were as described previously (the heuristic used is the number of distinct connections initiated in a 50-second window; an alarm is raised if this value is more than 4). On top of the actual traffic traces that we replayed, we super-imposed worm traffic that was generated according to an underlying distribution parameterized by the worm spread rate S, which is the number of attempted infections per worm per unit time, and the address density of the network that the worm is infecting. The results shown here use an S=1/20 cps and an address density of 1/1000. In other words, a worm will generate a new infection attempt every 20 seconds, which has a 1/1000 chance of reaching a valid (one capable of being infected) destination. Also, the LDs in the simulation had an epoch of 10 seconds, i.e., each LD, every 10 seconds, picks a node at random and shares its belief (on or off) with it.

All of the GD models that we explored (except for the PosCount model) required estimates of the true and FP rates of individual LDs. To make the comparison fair, we used the same parameters across all the LDs (DBNs account for the TP/FP rates in a principled fashion and, presumably, would do better than the other detectors if heterogeneous detectors were used).¹

Figure 4 shows the results for all GDs when the LDs pass one message per 10-second epoch. The sweet spot on this curve is in the lower-left corner: this implies a low FP rate is achieved where a global alarm is triggered before many hosts are infected. As can be seen from the figure, both DBN models clearly outperformed the baseline GD models. The PosCount detector at an FP rate of 100 per week will only raise a detection after the entire network is infected. The CuSum detector is able to operate at our target FP rate of 1 per week, but it detects at a much higher infection percentage (> 20%) than the DBN models. The CP-DBN, which is not designed to detect an epidemic spread, can still achieve the 1 FP per week while allowing only an 8% infection, while the E-DBN model that was specifically designed for this scenario can detect with an infected-host percentage of about 4%. The top line shows the results that are obtained as you sweep through the LD thresholds with no corroboration. Clearly, the E-DBN detector outperforms the rest, and even the CP-DBN detector performs better than the simpler models.

In the next section, we describe how such a detection framework can trigger a containment response from control points deployed in the enterprise.

¹ A TP rate of 0.6 and a FP rate of 0.2 were used for the simulations, the results of which are presented here.