PC worm detection system based on the correlation between user interactions and comprehensive network behaviors

Jeongseok Seo, Sungdeok Cha, Bin Zhu, Doohwan Bae

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

Original languageEnglish
Pages (from-to)1716-1726
Number of pages11
JournalIEICE Transactions on Information and Systems
VolumeE96-D
Issue number8
DOIs
Publication statusPublished - 2013 Aug 27

Fingerprint

Computer worms
Personal computers
Detectors

Keywords

  • Internet worm
  • Personal computer security
  • Worm detection

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Software
  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition

Cite this

PC worm detection system based on the correlation between user interactions and comprehensive network behaviors. / Seo, Jeongseok; Cha, Sungdeok; Zhu, Bin; Bae, Doohwan.

In: IEICE Transactions on Information and Systems, Vol. E96-D, No. 8, 27.08.2013, p. 1716-1726.

Research output: Contribution to journalArticle

@article{d03369ff202943a7b2d7c91bb8165d5b,
title = "PC worm detection system based on the correlation between user interactions and comprehensive network behaviors",
abstract = "Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.",
keywords = "Internet worm, Personal computer security, Worm detection",
author = "Jeongseok Seo and Sungdeok Cha and Bin Zhu and Doohwan Bae",
year = "2013",
month = "8",
day = "27",
doi = "10.1587/transinf.E96.D.1716",
language = "English",
volume = "E96-D",
pages = "1716--1726",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "8",

}

TY - JOUR

T1 - PC worm detection system based on the correlation between user interactions and comprehensive network behaviors

AU - Seo, Jeongseok

AU - Cha, Sungdeok

AU - Zhu, Bin

AU - Bae, Doohwan

PY - 2013/8/27

Y1 - 2013/8/27

N2 - Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

AB - Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

KW - Internet worm

KW - Personal computer security

KW - Worm detection

UR - http://www.scopus.com/inward/record.url?scp=84882705999&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84882705999&partnerID=8YFLogxK

U2 - 10.1587/transinf.E96.D.1716

DO - 10.1587/transinf.E96.D.1716

M3 - Article

AN - SCOPUS:84882705999

VL - E96-D

SP - 1716

EP - 1726

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 8

ER -