Exploiting Temporal Consistency to Reduce False Positives in Host-Based, Collaborative Detection of Worms

DSpace/Manakin Repository

Exploiting Temporal Consistency to Reduce False Positives in Host-Based, Collaborative Detection of Worms

Citable link to this page

. . . . . .

Title: Exploiting Temporal Consistency to Reduce False Positives in Host-Based, Collaborative Detection of Worms
Author: Smith, Michael; Malan, David J.

Note: Order does not necessarily reflect citation order of authors.

Citation: Malan, David J., and Michael D. Smith. 2006. Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms. In Proceedings of the 4th ACM Workshop on Recurring Malcode 2006, Alexandria, Virginia : November 03, 2006, ed. Farnam Jahanian, 25-32. New York, NY: ACM Press
Access Status: At the direction of the depositing author this work is not currently accessible through DASH.
Full Text & Related Files:
Abstract: The speed of today’s worms demands automated detection, but the risk of false positives poses a difficult problem. In prior work, we proposed a host-based intrusion-detection system for worms that leveraged collaboration among peers to lower its risk of false positives, and we simulated this approach for a system with two peers. In this paper, we build upon that work and evaluate our ideas “in the wild.” We implement Wormboy 2.0, a prototype of our vision that allows us to quantify and compare worms’ and non-worms’ temporal consistency, similarity over time in worms’ and non-worms’ invocations of system calls. We deploy our prototype to a network of 30 hosts running Windows XP with Service Pack 2 to monitor and analyze 10,776 processes, inclusive of 511 unique non-worms (873 if we consider unique versions to be unique non-worms). We identify properties with which we can distinguish non-worms from worms 99% of the time. We find that our collaborative architecture, using patterns of system calls and simple heuristics, can detect worms running on multiple peers. And we find that collaboration among peers significantly reduces our probability of false positives because of the unlikely appearance on many peers simultaneously of non-worm processes with worm-like properties.
Published Version: http://dx.doi.org/10.1145/1179542.1179548
Other Sources: http://www.cs.harvard.edu/~malan/publications.shtml
http://portal.acm.org/toc.cfm?id=1179542
Citable link to this page: http://nrs.harvard.edu/urn-3:HUL.InstRepos:2962663

Show full Dublin Core record

This item appears in the following Collection(s)

  • FAS Scholarly Articles [6463]
    Peer reviewed scholarly articles from the Faculty of Arts and Sciences of Harvard University
 
 

Search DASH


Advanced Search
 
 

Submitters