nach oben

Pattern Analysis and Applications

Erschienen in:

01.11.2012 | Industrial and Commercial Application

Detecting unknown computer worm activity via support vector machines and active learning

verfasst von: Nir Nissim, Robert Moskovitch, Lior Rokach, Yuval Elovici

Erschienen in: Pattern Analysis and Applications | Ausgabe 4/2012

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

To detect the presence of unknown worms, we propose a technique based on computer measurements extracted from the operating system. We designed a series of experiments to test the new technique by employing several computer configurations and background application activities. In the course of the experiments, 323 computer features were monitored. Four feature-ranking measures were used to reduce the number of features required for classification. We applied support vector machines to the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in the presence of misleading instances in the data. Our results indicate a mean detection accuracy in excess of 90 %, and an accuracy above 94 % for specific unknown worms using just 20 features, while maintaining a low false-positive rate when the active learning approach is applied.

Vorheriger Artikel Offline recognition of handwritten Bangla characters: an efficient two-stage approach

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/counter/counters2_lbfc.asp.

Symantec - http://www.symantec.com.

Kasparsky - http://www.viruslist.com.

Macfee - http://vil.nai.com.

Fosnock C (2008) Computer worms: past, present and future. Technical report, East Carolina University

Schultz MG , Eskin E, Zadok E, Stolfo SJ (2001) Data mining methods for detection of new malicious executables. In: Proceedings of the 2001 IEEE symposium on security and privacy, SP ’01, Washington, DC, USA, pp 38

Abou-Assaleh T, Cercone N, Keselj V, Sweidan R (2004) N-gram-based detection of new malicious code. In: Proceedings of the 28th annual international computer software and applications conference—workshops and fast abstracts, COMPSAC ’04, vol 02. IEEE Computer Society, Washington, DC, pp 41–42

Zico Kolter J, Maloof MA (2006) Learning to detect and classify malicious executables in the wild. J Mach Learn Res

Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the slammer worm. Security Privacy IEEE 1(4):33–39

Moskovitch R, Elovici Y, Rokach L (2008) Detection of unknown computer worms based on behavioral classification of the host. Comput Stat Data Anal 52(9):4544–4566

Menahem E,Shabtai A, Rokach L, Elovici Y (2009) Improving malware detection by applying multi-inducer ensemble. Comput Stat Data Anal 53(4):1483–1494

Moskovitch R, Stopel D, Feher C, Nissim N, Japkowicz N, Elovici Y (2009) Unknown malcode detection and the imbalance problem. J Comput Virol 5:295–308. doi:10.1007/s11416-009-0122-8

Kienzle DM, MC Elder (2003) Recent worms: a survey and trends. In: Proceedings of the 2003 ACM workshop on Rapid malcode, WORM ’03 , ACM, New York, pp 1–10

10.

Moore D, Shannon C, Claffy K (2002) Code-red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, IMW ’02, ACM, New York, pp 273–284

11.

Weaver N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy of computer worms. In: Proceedings of the 2003 ACM workshop on Rapid malcode, WORM ’03, ACM, New York, pp 11–18

12.

Cert (2000) Multiple denial-of-Service problems in ISC BIND. http://www.cert.org/advisories/CA-2000-20.html. (Online; Accessed 23 July 2012)

13.

Lee W, Stolfo SJ, Mok KW (1999) A data mining framework for building intrusion detection models. In: Security and Privacy, 1999, Proceedings of the 1999 IEEE Symposium, pp 120–132

14.

P Kabiri, Ghorbani Ali A (2005) Research on intrusion detection and response: a survey. Int J Netw Security 1:84–102

15.

Barbará D , Ningning Wu, Jajodia S (2001) Detecting novel network intrusions using Bayes estimators. In:Proceedings of the First SIAM Conference on Data Mining

16.

Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, SAC ’04,ACM, New York, NY, USA, pp 412–419

17.

Kayacik HG, Zincir-Heywood AN, Heywood MI (2003) On the capability of an som based intrusion detection system. In: Neural networks 2003. Proceedings of the International Joint Conference, vol 3, pp 1808–1813

18.

Lei JZ, Ghorbani A (2004) Network intrusion detection using an improved competitive learning neural network. In: Communication networks and services research, 2004, Proceedings. second annual conference, pp 190–197

19.

Stopel D, Moskovitch R, Boger Z, Shahar Y, Elovici Y (2009) Using artificial neural networks to detect unknown computer worms. Neural Comput Appl 18:663–674CrossRef

20.

PingZhao Hu, MI Heywood (2003) Predicting intrusions with local linear models. In: Neural networks 2003. Proceedings of the international joint conference, vol 3, pp 1780–1785

21.

Dickerson JE, Dickerson JA (2000) Fuzzy network profiling for intrusion detection. In: Fuzzy Information Processing Society, NAFIPS, 19th International Conference of the North American, pp 301–306

22.

Bridges SM, Vaughn RB (2000) Associate Professor and Associate Professor Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the national information systems security conference (NISSC), pp 6–19

23.

Botha M, von Solms R (2003) Utilising fuzzy logic and trend analysis for effective intrusion detection. Comput Amp Security 22(5):423–434CrossRef

24.

Cohn DA, Ghahramani Z, Jordan MI (1995) Active learning with statistical models. Technical Report, Cambridge, MA, USA

25.

Lewis DD, Gale WA (1994) A sequential algorithm for training text classifiers. In: Proceedings of the 17th annual international ACM SIGIR conference on research and development in information retrieval, SIGIR ’94, New York, NY, USA. Springer-Verlag New York, Inc,New York, pp 3–12

26.

Roy N, McCallum A (2001) Toward optimal active learning through sampling estimation of error reduction. In: Proceedings of the eighteenth international conference on machine learning, ICML ’01. Morgan Kaufmann Publishers Inc, San Francisco, pp 441–448

27.

Margineantu DD (2005) Active cost-sensitive learning. In: IJCAI, pp 1622–1613

28.

Lorch JR, AJ Smith (2000) Building vtrace, a tracer for windows nt and windows 2000. Technical Report UCB/CSD-00-1093, EECS Department, University of California, Berkeley

29.

Francisco A (2006) Witten ih, frank e: data mining: practical machine learning tools and techniques. BioMed Eng OnLine 5:1–2CrossRef

30.

Ross Quinlan J (1993) C4.5: programs for machine learning. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA

31.

Mitchell TM (1997) Machine learning. McGraw-Hill, New York

32.

Pearl J (1986) Fusion propagation, and structuring in belief networks. Artif Intel 29(3):241–288

33.

Lior R, Oded M, Reuven A (2006) Selective voting—getting more for less in sensor fusion. IJPRAI 20(3):329–350

34.

Lior R, Barak C, Oded M (2007) A methodology for improving the performance of non-ranker feature selection filters. IJPRAI 21(5):809–830

35.

Rokach L, Romano R, Maimon O (2008) Negation recognition in medical narrative reports. Inf Retrieval 11(6):499–538CrossRef

36.

Boser BE, Guyon IM, Vapnik VN (1992) A training algorithm for optimal margin classifiers. In: Proceedings of the fifth annual workshop on Computational learning theory, COLT ’92, , ACM, New York, pp 144–152

37.

Thorsten J (1999) Advances in kernel methods. chapter Making large-scale support vector machine learning practical. MIT Press, Cambridge, pp 169–184

38.

CJC Burges (1998) A tutorial on support vector machines for pattern recognition. Data Min Knowl Discov 2(2):121–167CrossRef

39.

Aizerman A, Braverman EM, LI Rozoner (1964) Theoretical foundations of the potential function method in pattern recognition learning. Automat Remote Control 25:821–837

40.

Chih-Chung C, Chih-Jen Lin Libsvm: a library for support vector machines. ACM Trans Intel Syst Technol

41.

Wang X, Yu W, Champion A, Xinwen Fu, Dong Xuan (2007) Detecting worms via mining dynamic program execution. In: Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference, pp 412 –421

42.

Masud MM, Khan L, Thuraisingham B (2007) Feature based techniques for auto-detection of novel email worms. In: Proceedings of the 11th Pacific-Asia conference on advances in knowledge discovery and data mining, PAKDD’07. Springer, Berlin, pp 205–216

43.

Moskovitch R, Nissim N, Stopel D, Feher C, Englert R, Elovici Y (2007) Improving the detection of unknown computer worms activity using active learning. In: Proceedings of the 30th annual German conference on advances in artificial intelligence, KI ’07. Springer, Berlin, Heidelberg, pp 489–493

44.

Zhu Y, Wang X, Shen H (2008) Detection method of computer worms based on svm. Mech Elect Eng Magazine 8

45.

Moskovitch R, Nissim N, Elovici Y (2009) Malicious code detection using active learning. In: Bonchi F, Ferrari E, Jiang W, Malin B (eds) Privacy, Security, and Trust in KDD. Lecture notes in computer science, vol 5456, pp 74–91. Springer, Berlin, Heidelberg

46.

Rocco A (2003) Servedio smooth boosting and learning with malicious noise J Mach Learn Res 4:633–648

47.

Chen Y, Zhan Y (2009) Co-training semi-supervised active learning algorithm based on noise filter. In: Proceedings of the 2009 WRI global congress on intelligent systems, GCIS ’09, vol 03. IEEE Computer Society, Washington, DC, USA, pp 524–528

48.

Schohn G , Cohn D (2000) Less is more: active learning with support vector machines. In: Proceedings of the seventeenth international conference on machine learning, ICML ’00. Morgan Kaufmann Publishers Inc,San Francisco, pp 839–846

49.

Forman G (2003) An extensive empirical study of feature selection metrics for text classification. J Mach Learn Res

Titel: Detecting unknown computer worm activity via support vector machines and active learning
verfasst von: Nir Nissim
Robert Moskovitch
Lior Rokach
Yuval Elovici
Publikationsdatum: 01.11.2012
Verlag: Springer-Verlag
Erschienen in: Pattern Analysis and Applications / Ausgabe 4/2012
Print ISSN: 1433-7541
Elektronische ISSN: 1433-755X
DOI: https://doi.org/10.1007/s10044-012-0296-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2012

Offline recognition of handwritten Bangla characters: an efficient two-stage approach

A framework for computing asset-sighting distance

A fast SVM-based wrapper feature selection method driven by a fuzzy complementary criterion

An experimental comparison of clustering methods for content-based indexing of large image databases

Online adaptive feature weighting for spatiogram-bank tracking

Human body segmentation based on deformable models and two-scale superpixel

Premium Partner