Authors: Dima Stopel, Zvi Boger, Robert Moskovitch, Yuval Shahar, Yuval Elovici

Abstract:

Computer worm detection is commonly performed by antivirus software tools that rely on prior explicit knowledge of the worm-s code (detection based on code signatures). We present an approach for detection of the presence of computer worms based on Artificial Neural Networks (ANN) using the computer's behavioral measures. Identification of significant features, which describe the activity of a worm within a host, is commonly acquired from security experts. We suggest acquiring these features by applying feature selection methods. We compare three different feature selection techniques for the dimensionality reduction and identification of the most prominent features to capture efficiently the computer behavior in the context of worm activity. Additionally, we explore three different temporal representation techniques for the most prominent features. In order to evaluate the different techniques, several computers were infected with five different worms and 323 different features of the infected computers were measured. We evaluated each technique by preprocessing the dataset according to each one and training the ANN model with the preprocessed data. We then evaluated the ability of the model to detect the presence of a new computer worm, in particular, during heavy user activity on the infected computers.

Keywords: Artificial Neural Networks, Feature Selection, Temporal Analysis, Worm Detection.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1329575

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1718

References:

[1] P. Kabiri and A.A. Ghorbani, "Research on intrusion detection and response: A survey," International Journal of Network Security, vol. 1(2) Sept. 2005, pp. 84-102.
[2] S. Zanero and S.M. Savaresi, "Unsupervised learning techniques for an intrusion detection system," Proc. 2004 ACM symposium on Applied Computing, 2004, pp. 412-419.
[3] H.G. Kayacik, A.N. Zincir-Heywood and M.I. Heywood "On the capability of an SOM based intrusion detection system," Proc. Int. Joint Conf. Neural Networks Vol. 3, 2003, pp. 1808-1813.
[4] J. Z. Lei and A. Ghorbani, "Network intrusion detection using an improved competitive learning neural network," Proc. Second Annual Conf. Communication Networks and Services Research (CNSR04), 2004, pp. 190-197.
[5] P. Z. Hu and Malcolm I. Heywood, "Predicting intrusions with local linear model," Proc. Int. Joint Conf. Neural Networks, Vol. 3, 2003, pp. 1780-1785.
[6] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using neural networks and support vector machines," Proc. High Performance Computing Symposium - HPC 2002, pp 178-183.
[7] I. Yoo. "Visualizing windows executable viruses using self-organizing maps," Proc. 2004 ACM Workshop on Visualization and Data Mining for Computer Security. 2004.
[8] U. Ultes-Nitsche and I. Yoo. "An Integrated Network Security Approach: Pairing Detecting Malicious Patterns with Anomaly Detection," Proc. Conference on Korean Science and Engineering Association in UK.
[9] Z. Liu, S.M. Bridges and R.B. Vaughn "Classification of anomalous traces of privileged and parallel programs by neural networks," Proc. FuzzIEEE 2003, pp. 1225-1230.
[10] D. Stopel, Z. Boger, R. Moskovitch, Y. Shahar and Y. Elovici. "Application of Artificial Neural Networks Techniques to Computer Worm Detection," Proc. International Joint Conference on Neural Networks, Vancouver, 2006.
[11] M.B. Hagan, M.T. Menhaj. "Training feed forward networks with the Marquardt algorithm," IEEE Transactions on Neural Networks, Vol. 5(6), 1994, pp. 989-993.
[12] Z. Boger. "Selection of the quasi-optimal inputs in chemometric modeling by artificial neural network analysis," Analytica Chimica Acta 490(1-2) (2003) 31-40
[13] T. Golub, D. Slonim, P. Tamaya, C. Huard, M. Gaasenbeek, J. Mesirov, H. Coller, M. Loh, J. Downing, M. Caligiuri, C. Bloomfield, and E. Lander. "Molecular classification of cancer: Class discovery and class prediction by gene expression monitoring," Science, 286:531-537, 1999.
[14] T. Mitchell. Machine Learning. McGraw-Hill, 1997.
[15] J. Lorch, A. J. Smith. "The VTrace tool: building a system tracer for Windows NT and Windows 2000," MSDN Magazine, 15(10):86-102, October 2000.
[16] I.H. Witten and E. Frank, Data Mining: Practical machine learning tools and techniques, 2nd Edition, Morgan Kaufmann, San Francisco, 2005.
[17] K. Baba, I. Enbutu, M. Yoda. "Explicit representation of knowledge acquired from plant historical data using neural network," Proc. International Joint Conference on Neural Networks, Vol. 3 (1990) 155- 160
[18] (342/2006) R. Moskovitch, I. Gus, S. Pluderman, D. Stopel, C. Glezer, Y. Shahar, Y. Elovici. "Detection of Unknown Computer Worms Activity Based on Computer Behavior using Machine Learning Techniques," Department of Information System Engineering, Ben- Gurion University of the Negev, Israel (2006)