Detection of unknown computer worms activity based on computer behavior using data mining

Robert Moskovitch, Ido Gus, Shay Pluderman, Dima Stopel, Chanan Glezer, Yuval Shahar, Yuval Eloyici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

12 Scopus citations

Abstract

Detecting unknown worms is a challenging task. Extant solutions, such as anti-virus tools, rely mainly on prior explicit knowledge of specific worm signatures. As a result, after the appearance of a new worm on the Web there is a significant delay until all update carrying the worm's signature is distributed to anti-virus tools. During this time interval a new worm can infect many computers and create significant damage. We propose an innovative technique for detecting the presence of an unknown worm, not necessarily by recognizing specific instances of the worm, but rather based on the computer measurements. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection techniques were used to reduce the amount of features and four classification algorithms were applied on the resulting feature subsets. Our results indicate that using this approach resulted, in above 90% average accuracy, and for specific unknown worms accuracy reached above 99%, using just 20 features while maintaining a low level of false positive rate.

Original languageEnglish
Title of host publicationProceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007
Pages169-177
Number of pages9
DOIs
StatePublished - 2007
Externally publishedYes
Event2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007 - Honolulu, HI, United States
Duration: 1 Apr 20075 Apr 2007

Publication series

NameProceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007

Conference

Conference2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, CISDA 2007
Country/TerritoryUnited States
CityHonolulu, HI
Period1/04/075/04/07

Fingerprint

Dive into the research topics of 'Detection of unknown computer worms activity based on computer behavior using data mining'. Together they form a unique fingerprint.

Cite this