Detecting worms via mining dynamic program execution

Author

Wang, Xun ; Yu, Wei ; Champion, Adam ; Fu, Xinwen ; Xuan, Dong

Author_Institution

Department of Computer Science and Engineering, The Ohio-State University, Columbus, 43210, USA

fYear

2007

fDate

17-21 Sept. 2007

Firstpage

412

Lastpage

421

Abstract

Worm attacks have been major security threats to the Internet. Detecting worms, especially new, unseen worms, is still a challenging problem. In this paper, we propose a new worm detection approach based on mining dynamic program executions. This approach captures dynamic program behavior to provide accurate and efficient detection against both seen and unseen worms. In particular, we execute a large number of real-world worms and benign programs (executables), and trace their system calls. We apply two classifier-learning algorithms (Naive Bayes and Support Vector Machine) to obtain classifiers from a large number of features extracted from the system call traces. The learned classifiers are further used to carry out rapid worm detection with low overhead on the end-host. Our experimental results clearly demonstrate the effectiveness of our approach to detect new worms in terms of a very high detection rate and a low false positive rate.

Keywords

Application software; Computer science; Computer worms; Internet; Libraries; Monitoring; Peer to peer computing; Runtime; Security; Support vector machines; Worm detection; data mining; dynamic program analysis; system call tracing;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on

Conference_Location

Nice, France

Print_ISBN

978-1-4244-0974-7

Electronic_ISBN

978-1-4244-0975-4

Type

conf

DOI

10.1109/SECCOM.2007.4550362

Filename

4550362