Learning on User Behavior for Novel Worm Detection.

Slides:



Advertisements
Similar presentations
Applications of one-class classification
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
SurroundSense: Mobile Phone Localization via Ambience Fingerprinting Written by Martin Azizyan, Ionut Constandache, & Romit Choudhury Presented by Craig.
Neural Computation Final Project -Earthquake Prediction , Spring Alon Talmor Ido Yariv.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Analyzing Behavioral Features for Classification.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Analyzing Attacks on SLT- based Techniques: Novelty Detection Blaine Nelson, Marco Barreno, Russell Sears, Anthony Joseph {barreno, nelsonb, sears,
1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
Microsoft Office 2003 – Outlook 2003 features Bradley Witham Technical Services Supervisor ITS.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Honeypot and Intrusion Detection System
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Data Mining for Malware Detection Lecture #2 May 27, 2011 Dr. Bhavani Thuraisingham The University of Texas at Dallas.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Types of Electronic Infection
Enron Corpus: A New Dataset for Classification By Bryan Klimt and Yiming Yang CEAS 2004 Presented by Will Lee.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan.
KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
1 Classification of real and pseudo microRNA precursors using local structure-sequence features and support vector machine Chenghai Xue, Fei Li, Tao He,
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Application Forensics November 5, 2008.
ECE738 Advanced Image Processing Face Detection IEEE Trans. PAMI, July 1997.
Spam Detection Ethan Grefe December 13, 2013.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Ensemble Learning for Low-level Hardware-supported Malware Detection
EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.
CISC Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Unit 3 Section 6.4: Internet Security
Internet Quarantine: Requirements for Containing Self-Propagating Code
Author: Matthew M. Williamson, HP Labs Bristol
Security Methods and Practice CET4884
Analyzing Behavioral Features for Classification
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
An Enhanced Support Vector Machine Model for Intrusion Detection
Roland Kwitt & Tobias Strohmeier
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
Introduction to Internet Worm
Presentation transcript:

Learning on User Behavior for Novel Worm Detection

Steve Martin, Anil Sewani, Blaine Nelson, Karl Chen, and Anthony Joseph {steve0, anil, nelsonb, quarl, University of California at Berkeley

The Problem: Worms (source: worms cause billions of dollars of damage yearly. –Nearly all of the most virulent worms of 2004 spread by

Current Solutions Signature-based methods are effective against known worms only. –25 new Windows viruses a day released during 2004! Human element slows reaction times. –Signature generation can take hours to days. –Signature acquisition and application can take hours to never. Signature methods are mired in an arms race. –MyDoom.m and Netsky.b got through EECS mail scanners

Statistical Approaches Unsupervised learning on network behavior. –Leverage behavioral invariant: a worm seeks to propagate itself over a network. Previous work: novelty detection by itself is not enough. –Many false negatives = worm attack will succeed. –Many false positives = irritated network admins. Common solution: make the novelty detector model very sensitive. –Tradeoff: Introduces additional false positives. –Can render a detection system useless.

Our Approach Use two-layer approach to filter novelty detector results. –Novelty detector minimizes false negatives. –Secondary classifier filters out false positives. Leverage human reactions and existing methods to improve secondary classifier. –Use supervisor feedback to partially label data corpus –Correct and retrain as signatures become available Filter novelty detection results with per-user classifier trained on semi-supervised data.

Per-User Detection Pipeline

Pipeline Details Both per- and per-user features used. –User features capture elements of behavior over a window of time. – features examine individual snapshots of behavior. Any novelty detector can be inserted. –These results use a Support Vector Machine. –One SVM is trained on all users’ normal . Parametric classifier leverages distinct feature distributions via a generative graphical model. –A separate model is fit for each user. –Classifier retrains over semi-supervised data.

System Deployment

Using Feedback Use existing virus scanners to update corpus. –For each within last d days: If the scanner returns virus, we label virus If the scanner returns clean, we leave the current label. –Outside prev. d days, scanner labels directly. Threshold number of s classified as virus to detect user infection. –Machine is quarantined, infected s queued. If infection confirmed, i random messages from queue are labeled by the supervisor. –Model is retrained –Labels retained until virus scanner corrects them.

Feedback Utilization Process

Evaluation Examined feature distributions on real . –Live study with augmented mail server and 20 users. –Used Enron data set for further evaluation. Collected virus data for six worms using virtual machines and real address book. –BubbleBoy, MyDoom.u, MyDoom.m, Netsky.d, Sobig.f, Bagle.f Constructed training/test sets of real traffic artificially ‘infected’ with viruses. –Infections interleaved while preserving intervals between worm s.

Results I Average Accuracy: 79.45% Training Set: 1000 infected s from 5 different worms, 400 clean s Test set: 200 infected s, 1200 clean s Table 1. Results using only SVM Virus NameFalse PositivesFalse NegativesAccuracy BubbleBoy23.56%1.01%79.64% Bagle.F23.90%0.00%79.50% Netsky.D24.06%0.00%79.36% Mydoom.U23.98%0.00%79.43% Mydoom.M23.61%0.00%79.71% Sobig.F24.14%1.51%79.07%

Results II Average Accuracy: 99.69% Training Set: 1000 infected s from 5 different worms, 400 clean s Test set: 200 infected s, 1200 clean s Table 2. Results using SVM and Semi-Sup Classifier Virus NameFalse PositivesFalse NegativesAccuracy BubbleBoy0.00%1.51%99.79% Bagle.F0.00%2.01%99.71% Netsky.D0.00%2.01%99.71% Mydoom.U0.00%2.01%99.64% Mydoom.M0.00%2.03%99.64% Sobig.F0.00%2.01%99.64%

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.