A Data Mining Approach for Detection of Self-Propagating Worms

Author

Marhusin, Mohd Fadzli ; Lokan, Chris ; Larkin, Henry ; Cornforth, David

Author_Institution

Univ. of New South Wales at ADFA, Canberra, ACT, Australia

fYear

2009

fDate

19-21 Oct. 2009

Firstpage

24

Lastpage

29

Abstract

In this paper we demonstrate our signature based detector for self-propagating worms. We use a set of worm and benign traffic traces of several endpoints to build benign and worm profiles. These profiles were arranged into separate n-ary trees. We also demonstrate our anomaly detector that was used to deal with tied matches between worm and benign trees. We analyzed the performance of each detector and also with their integration. Results show that our signature based detector can detect very high true positive. Meanwhile, the anomaly detector did not achieve high true positive. Both detectors, when used independently, suffer high false positive. However, when both detectors were integrated they maintained a high detection rate of true positive and minimized the false positive.

Keywords

computer viruses; data mining; trees (mathematics); benign profiles; data mining approach; n-ary trees; self-propagating worm detection; worm profiles; Australia; Computer vision; Computer worms; Data mining; Data security; Detectors; Entropy; Information security; Performance analysis; Tree data structures; anomaly detector; self-propagating worm; signature based detector; worm detector;

fLanguage

English

Publisher

ieee

Conference_Titel

Network and System Security, 2009. NSS '09. Third International Conference on

Conference_Location

Gold Coast, QLD

Print_ISBN

978-1-4244-5087-9

Electronic_ISBN

978-0-7695-3838-9

Type

conf

DOI

10.1109/NSS.2009.88

Filename

5319003