TY - GEN
T1 - Detection of unknown computer worms activity based on computer behavior using data mining
AU - Moskovitch, Robert
AU - Gus, Ido
AU - Pluderman, Shay
AU - Stopel, Dima
AU - Glezer, Chanan
AU - Shahar, Yuval
AU - Eloyici, Yuval
PY - 2007
Y1 - 2007
N2 - Detecting unknown worms is a challenging task. Extant solutions, such as anti-virus tools, rely mainly on prior explicit knowledge of specific worm signatures. As a result, after the appearance of a new worm on the Web there is a significant delay until all update carrying the worm's signature is distributed to anti-virus tools. During this time interval a new worm can infect many computers and create significant damage. We propose an innovative technique for detecting the presence of an unknown worm, not necessarily by recognizing specific instances of the worm, but rather based on the computer measurements. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection techniques were used to reduce the amount of features and four classification algorithms were applied on the resulting feature subsets. Our results indicate that using this approach resulted, in above 90% average accuracy, and for specific unknown worms accuracy reached above 99%, using just 20 features while maintaining a low level of false positive rate.
AB - Detecting unknown worms is a challenging task. Extant solutions, such as anti-virus tools, rely mainly on prior explicit knowledge of specific worm signatures. As a result, after the appearance of a new worm on the Web there is a significant delay until all update carrying the worm's signature is distributed to anti-virus tools. During this time interval a new worm can infect many computers and create significant damage. We propose an innovative technique for detecting the presence of an unknown worm, not necessarily by recognizing specific instances of the worm, but rather based on the computer measurements. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection techniques were used to reduce the amount of features and four classification algorithms were applied on the resulting feature subsets. Our results indicate that using this approach resulted, in above 90% average accuracy, and for specific unknown worms accuracy reached above 99%, using just 20 features while maintaining a low level of false positive rate.
UR - http://www.scopus.com/inward/record.url?scp=34548765680&partnerID=8YFLogxK
U2 - 10.1109/CISDA.2007.368150
DO - 10.1109/CISDA.2007.368150
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:34548765680
SN - 1424407001
SN - 9781424407002
T3 - Proceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007
SP - 169
EP - 177
BT - Proceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007
T2 - 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007
Y2 - 1 April 2007 through 5 April 2007
ER -