Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms

Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Volumn , Issue , 2006, Pages 25-32

  Malan, David J ^a   Smith, Michael D ^a  

^a HARVARD UNIVERSITY   (United States)

Author keywords

Collaborative detection; HIDS; Host based intrusion detection; IDS; Native API; Peers; System calls; System services; Temporal consistency; Win32; Windows; Worms

Indexed keywords

COLLABORATIVE DETECTION; HOST-BASED INTRUSION DETECTION; SYSTEM CALLS; SYSTEM SERVICES; TEMPORAL CONSISTENCY; WIN32;

COMPUTER ARCHITECTURE; COMPUTER SIMULATION; COMPUTER VIRUSES; DISTRIBUTED COMPUTER SYSTEMS; SOFTWARE PROTOTYPING; USER INTERFACES;

INTRUSION DETECTION;

EID: 34547367531     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1179542.1179548     Document Type: Conference Paper

References (49)

1. Advanced Micro Devices, Inc. AMD's Virtualization Solutions, enterprise. amd.com/us-en/Solutions/Consolidation/virtualization.aspx.
2. E. Anderson and J. Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX, June 2004.
3. F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo. Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses. In Proc. of the 5th Int'l Symposium on Recent Advances in Intrusion Detection, 2002.
4. Intel Corp. Intel Virtualization Technology. www.Intel.com/technology/ computing/vptech/.
5. P. Dabak, S. Phadke, and M. Borate. Undocumented Windows NT. M&T Books, 1999.
6. D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A Behavioral Approach to Worm Wetection. In Proc. of the 2004 ACM Workshop on Rapid Malcode, pages 43-53, New York, NY, USA, 2004. ACM Press.
7. E. Eskin. Anomaly Detection over Noisy Data Using Learned Probability Distributions. In Proc. of the 17th International Conference on Machine Learning, 2000.
8. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In Proc. of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120-128. IEEE Computer Society Press, 1996.
9. Orisoft Inc. www.grisoft.com.
10. J. Gulbrandsen. How Do Windows NT System Calls REALLY Work? www.codeguru.com/Cpp/w-P/system/devicedriverdevelopment/article.php/c8035/, August 2004.
11. J. Gulbrandsen. System Call Optimization with the SYSENTER Instruction. www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8223/, October 2004.
12. J. Harris. YAC: Yet Another Caller ID Program. sunflowerhead.com/ software/yac/.
13. B. Henderson. XML-RPC for C and C++. xmlrpc-c.sourceforge.net.
14. N. P. Herath. Adding Services To The NT Kernel. microsoft.public.Win32. programmer.kernel, October 1998.
15. S. A. Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security. PhD thesis, 1999.
16. S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 6(3):151-180, 1998.
17. R. Hu and A. K. Mok. Detecting Unknown Massive Mailing Viruses Using Proactive Methods. In Proc. of the 7th Int'l Symposium on Recent Advances in Intrusion Detection, 2004.
18. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proc. of the IEEE Symposium on Security and Privacy, May 2004.
19. H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symposium, pages 271-286, 2004.
20. W. Lee, S. J. Stolfo, and P. K. Chan. Learning Patterns from Unix Process Execution Traces for Intrusion Detection, pages 50-56. AAAI Press, 1997.
21. D. J. Malan and M. D. Smith. Host-Based Detection of Worms through Peer-to-Peer Cooperation. In Proc. of the 2005 A CM Workshop on Rapid Malcode, New York, NY, USA, 2005. ACM Press.
22. McAfee, Inc. www.mcafee.com.
23. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33-39, 2003.
24. G. Nebbett. Windows NT/2000 Native API Reference. MTP, 2000.
25. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium, 2005.
26. PC World Communications, Inc. WorldBench 5. www.worldbench.com.
27. M. Pietrek. Poking Around Under the Hood: A Programmer's View of Windows NT 4.0. Microsoft Systems Journal, August 1996. www.microsoft.com/msj/ archive/s413.aspx.
28. The Metasploit Project. Windows System Call Table (NT/2000/XP/2003). www.metasploit.com/users/opcode/syscalls.html.
29. N. Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium, pages 257-272, 2003.
30. T. J. Robbins. Windows NT System Service Table Hooking, www.wiretapped.net/~fyre/sst.html.
31. P. Roberts. Mydoom Sets Speed Records. www.pcworld.com/news/article/0, aid,114461,00.asp.
32. M. Russinovich. Inside the Native API. www.sysinternals.com/Information/ NativeApi.html, 1998.
33. T. Sabin. Personal correspondence.
34. T. Sabin. Strace for NT. www.bindview.com/Services/ RAZOR/Utilities/ Windows/strace-readme.cfm.
35. Sana Security, Inc. www.sanasecurity.com.
36. S. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In 7th Int'l Symposium on Recent Advances in Intrusion Detection, French Riviera, France, September 2004.
37. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In OSDI, pages 45-60, 2004.
38. V. Smirnov. Re: Hooking system call from driver. NTDEV - Windows System Software Developers List, April 2002.
39. A. Somayaji and S. Forrest. Automated Response Using System-Call Delays. In Proc. of the 9th USENIX Security Symposium, August 2000.
40. A. B. Somayaji. Operating System Stability and Security through Process Homeostasis. PhD thesis, 2002.
41. S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms. In Proc. of the 2004 ACM Workshop on Rapid Malcode, pages 33-42, New York, NY, USA, 2004. ACM Press.
42. S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proc. of the 11th USENIX Security Symposium, August 2002.
43. S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, volume 13 of Journal of Computer Security, pages 659-693. 2005.
44. Symantec Corporation, www.symantec.com.
45. B. Tucker. SoBig.F breaks virus speed records. www.cnn.com/2003/TECH/ internet/08/21/sobig.virus/.
46. J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In USENIX Security Symposium, pages 285-294, 2003.
47. UserLand Software, Inc. XML-RPC Home Page. www.xmlrpc.com.
48. N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium, pages 29-44, 2004.
49. M. M. Williamson. Throttling Viruses: Restricting propagation to defeat malicious mobile code. Technical Report HPL-2002-172R1, HP Labs, December 2002.