Detecting worms via mining dynamic program execution

Proceedings of the 3rd International Conference on Security and Privacy in Communication Networks, SecureComm

Volumn , Issue , 2007, Pages 412-421

  Wang, Xun ^a   Yu, Wei ^b   Champion, Adam ^a   Fu, Xinwen ^c   Xuan, Dong ^a  

^a Ohio State University   (United States)

^b TEXAS A AND M UNIVERSITY   (United States)

^c DAKOTA STATE UNIVERSITY   (United States)

Author keywords

Data mining; Dynamic program analysis; System call tracing; Worm detection

Indexed keywords

DATA MINING; DYNAMIC PROGRAM ANALYSIS; DYNAMIC PROGRAMS; SYSTEM CALL TRACING; WORM DETECTION;

CLASSIFICATION (OF INFORMATION); CLASSIFIERS; COMPUTER NETWORKS; INTRUSION DETECTION; LEARNING SYSTEMS; MINING; SUPPORT VECTOR MACHINES; TELECOMMUNICATION NETWORKS;

COMPUTER CRIME;

EID: 51349109687     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SECCOM.2007.4550362     Document Type: Conference Paper

References (42)

1. D. Moore, C. Shannon, and J. Brown, "Code-red: a case study on the spread and victims of an internet worm," in Proceedings of the 2-th Internet Measurement Workshop (IMW), Marseille, France, November 2002.
2. D. Moore, V. Paxson, and S. Savage, "Inside the slammer worm," IEEE Magazine of Security and Privacy, vol. 4, no. 1, pp. 33-39, July 2003.
3. M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage, "Opportunistic measurement: Extracting insight from spurious traffic," in Proceedings of the 4-th ACM SIGCOMM HotNets Workshop (HotNets), College Park, MD, November 2005.
4. J. Wu, S. Vangala, and L. X. Gao, "An effective architecture and algorithm for detecting worms with various scan techniques," in Proceedings of the 11-th IEEE Network and Distributed System Security Symposium, (NDSS), San Diego, CA, Febrary 2004.
5. S. Venkataraman, D. Song, P. Gibbons, and A. Blum, "New streaming algorithms for superspreader detection," in Proceedings of the 12-th IEEE Network and Distributed Systems Security Symposium (NDSS), San Diego, CA, Febrary 2005.
6. C. Zou, W. B. Gong, D. Towsley, and L. X. Gao, "Monitoring and early detection for internet worms," in Proceedings of the 10-th ACM Conference on Computer and Communication Security (CCS), Washington DC, October 2003.
7. W. Yu, X. Wang, D. Xuan, and D. Lee, "Effective detection of active worms with varying scan rate," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, August 2006.
8. J. Z. Kolter and M. A. Maloof, "Learning to detect malicious executables in the wild," in Proceedings of the 10th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), Seattle, WA, August 2004.
9. M. G. Schultz, E. Eskin, E. Zadok, and S. J. Stolfo, "Data mining methods for detection of new malicious executables," in Proceedings of IEEE Symposium, on Security and. Privacy (S&P), Oakland. CA. May 2001.
10. D. Bruschi, L. Martignoni, and M. Monga, "Detecting self-mutating malware using control flow graph matching," in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Berlin, Germany, July 2006.
11. SANS, Internet Storm Center, http://isc.sans.org/.
12. CERT, Advisory CA-2003-20 W32/Blaster worm, http://www.cert.org /advisories/CA-2003-20.html, 2003.
13. MetaPHOR, http://securityresponse.symantec.com/avcenter/venc/data/w32. simile.html.
14. P. Ferrie and P. Ször. Zmist, Zmist opportunities, Virus Bullettin, http://www.virusbtn.com.
15. M. Ernst, "Static and dynamic analysis: Synergy and duality," Portland, Oregon, May 2003.
16. Shengying Li, A Survey on Tools for Binary Code Analysis, Department of Computer Science, Stony Brook University, http://www.cs.sunysb. edu/lshengyi/papers/rpe/RPE.htm, 2004.
17. H. H. Feng, O. M. Kolesnikov, P. Fogla, W. Lee, and W. Gong, "Anomaly detection using call stack information," in Proceedings of IEEE Symposium on Security and Privacy (S&P), Oakland, CA, May 2003.
18. M. H. Dunham, Data Mining: Introductory and Advanced Topics, Prentice Hall, 1 edition, 2002.
19. J. Han and M. Kamber, Data Mining: Concepts and Techniques, Morgan Kaufmann Publishers, 2 edition, 2006.
20. VMWare Inc., www.vmware.com/virtual-machine.
21. Microsoft, Microsoft Virtual PC, http://www.microsoft.com/windows /virtualpc/default.mspx.
22. Metasploit LLC, Windows System Call Table, http://www.metasploit. com/users/opcode/syscalls.html.
23. Operating System Inside, Linux System Call Table, http://osinside.net /syscall/system_call_table.htm, 2006.
24. Paul Thurrott, Windows "Longhorn" FAQ, http://www.winsupersite.com /faq/longhom.asp.
25. GNU Project, Linux Function and Macro Index, http://www.gnu.org /software/libc/manual/html_node/Function-Index.html#Function-lndex.
26. K. F. Lee and S. Mahajan, Automatic Speech Recognition: the. Development of the SPHINX System, Springer, 1988.
27. V. Vapnik, The Nature of Statistical Learning Theory, Springer-Verlag, New York, 1995.
28. V. Vapnik. Statistical Learning Theory, John Wiley and Sons, New York, 1998.
29. BindView Corporation, Strace for NT, http://www.bindview.com/ Services/RAZOR/Utilities/Windows/strace_readme.cfm.
30. B. Christian, Full and Naive Bayes Classifiers, http://fuzzy.cs.unimagdeburg.de/borgelt/doc/bayes/bayes.html.
31. T. Joachims, Advances in Kernel Methods: Support Vector Machines, MIT Press, Cambridge, Massachusetts, 1998.
32. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proceedings of the 25-th IEEE Symposium on Security and Privacy (S&P), Oakland, CA, May 2004.
33. A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distribution," in Proceedings of ACM SIGCOMM, Philadelphia, PA, August 2005.
34. R. Perdisci, O. Kolesnikov, P. Fogla, M. Sharif, and W. Lee, "Polymorphic blending attacks," in Proceedings of the 15-th USENIX Security Symposium. (SECURITY), Vancouver, B.C., August 2006.
35. Binary Text Scan, http://netninja.com/files/bintxtscan.zip.
36. D. Wagner and D. Dean, "Intrusion detection via static analysis," in Proceedings of IEEE Symposium on Security and Privacy (S&P), Oakland, CA, May 2001.
37. D. Gao, M. Reiter, and Dawn Song, "Behavioral distance for intrusion detection," in Proceedings of Symposium on Recent Advance in Intrusion Detection (RAID), Seattle, WA, September 1999.
38. H. H Feng, J. T. Giffin, Y. Huang, S. Jha, W. Lee, and B. P. Miller, "Formalizing sensitivity in static analysis for intrusion detection," in Proceedings of IEEE Symposium, on Security and Privacy (S&P), Oakland, CA, May 2004.
39. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "Stack-guard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proceedings of 7th USENIX Security Symposium (SECURITY), San Antonio, TX, August 1998.
40. W. Lee, S. J. Stolfo, and W. Mok, "A data mining framework for building intrusion detection models," in Proceedings of the 1999 IEEE Symposium, on Security and Privacy (S&P), Oakland, CA, May 1999.
41. S. Martin, A. Sewani, B. Nelson, K. Chen, and A. Joseph, "Analyzing behavioral features for email classification," in Proceedings of the 2th International conference on email and anti-span (CEAS), Mountain view, CA, August 2003.
42. S. Yang, J. P. Song, H. Rajamani, T. W. Cho, Y. Zhang, and R. Mooney, "Fast and effective worm fingerprinting via machine learning," in Proceedings of the 3rd IEEE International Conference on Autonomic Computing (ICAC), Dublin, Ireland, June 2006.