Exploiting Temporal Consistency to Reduce False Positives in Host-Based, Collaborative Detection of Worms
Access StatusFull text of the requested work is not available in DASH at this time ("dark deposit"). For more information on dark deposits, see our FAQ.
Malan, David J.
MetadataShow full item record
CitationMalan, David J., and Michael D. Smith. 2006. Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms. In Proceedings of the 4th ACM Workshop on Recurring Malcode 2006, Alexandria, Virginia : November 03, 2006, ed. Farnam Jahanian, 25-32. New York, NY: ACM Press
AbstractThe speed of today’s worms demands automated detection, but the risk of false positives poses a difficult problem. In prior work, we proposed a host-based intrusion-detection system for worms that leveraged collaboration among peers to lower its risk of false positives, and we simulated this approach for a system with two peers. In this paper, we build upon that work and evaluate our ideas “in the wild.” We implement Wormboy 2.0, a prototype of our vision that allows us to quantify and compare worms’ and non-worms’ temporal consistency, similarity over time in worms’ and non-worms’ invocations of system calls. We deploy our prototype to a network of 30 hosts running Windows XP with Service Pack 2 to monitor and analyze 10,776 processes, inclusive of 511 unique non-worms (873 if we consider unique versions to be unique non-worms). We identify properties with which we can distinguish non-worms from worms 99% of the time. We ﬁnd that our collaborative architecture, using patterns of system calls and simple heuristics, can detect worms running on multiple peers. And we ﬁnd that collaboration among peers signiﬁcantly reduces our probability of false positives because of the unlikely appearance on many peers simultaneously of non-worm processes with worm-like properties.
Citable link to this pagehttp://nrs.harvard.edu/urn-3:HUL.InstRepos:2962663
- FAS Scholarly Articles