Using Session-Keystroke Mutual Information to Detect Self-Propagating Malicious Codes

In this paper, we propose an endpoint-based joint network-host anomaly detection technique to detect self- propagating malicious codes. Our proposed technique is based on the observation that on any endpoint there exists very high correlation between benign network sessions and the keystrokes that trigger these sessions. Specifically, users generally use a few keystrokes to trigger most of the benign network sessions. On the other hand, malicious sessions originating from a compromised endpoint will not have the session-keystroke correlation. We lever-age this observation in a novel information-theoretic framework that characterizes the session-keystroke correlation in terms of their mutual information. Changes in session-keystroke mutual information are used to detect malicious codes in an automated and real-time fashion. To evaluate the proposed anomaly detector, we use actual traffic and keystroke data collected on benign and infected endpoints. We show that the proposed anomaly detector provides almost 100% detection with negligible false-alarm rates and significantly surpasses the accuracy of existing techniques.