Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware. Detection of unknown computer worms based on behavioral classification of the host Robert Moskovitch ,Yuval Elovici ,Lior Rokach. Worms. Worms are considered malicious in nature
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Dept of Computer & Information Sciences
University of Delaware
Detection of unknown computer worms based on behavioral classification of the host
Robert Moskovitch ,Yuval Elovici ,Lior Rokach
that enters the system, looking for known
signatures which uniquely identify an
instance of known malcode
common obfuscation techniques used by malware
using several transformations, such as nop-
insertion, code transposition
by obfuscating the entire virus. When they
replicate, these viruses change their code in a
variety of ways, such as code transposition,
substitution of equivalent instruction sequences,
change of conditional jumps, and register
Loop : Loop : pop ecx Loop: pop ecx
pop ecx nop nop
jecxz SFModMark jecxz SFModMark jmp L1
mov esi , ecx xor ebx , ebx L3: call edi
mov eax , 0d601h beqz N1 xor ebx , ebx
Pop edx N1: mov esi , ecx beqz N2
Pop ecx nop N2: jmp Loop
Call edi mov eax ,0d601h jmp l4
pop edx L2: nop
pop ecx mov eax , 0d601h
nop pop edx Xor ebx , ebx
call edi pop ecx beqz N1
Xor ebx , ebx nop N1: mov esi , ecx
beqz N2 jmp L3 jmp L2
N2: JMP loop L1: jecxz SFModMark L4:
binary for the detection of unknown malcode.
Therefore an additional detection layer at
runtime is required
behavior of the host. By monitoring the host, one
can inexplicitly identify malcodes.
measurements from infected and not infected
detecting and classifying worms
relatively small set of features are sufficient for
solving the problem without sacrifice accuracy.
various machine configurations suggesting that
the proposed methods achieve high detection
rates on previously unseen worms.
contained heterogenic hardware, and a server
computer simulating the internet.
Vtrace which enable monitoring system features
among the available worms
fi is a feature, filter is one of the k filtering (feature selection) methods.
and tested on each one ( j ) of the eight datasets.
Eight corresponding evaluations were done on
each one of the datasets, resulting in 64
dataset is randomly partitioned into ten
partitions and repeatedly the classifier is
trained on nine partitions and tested on the
for each one of the combinations of feature
selection method, classification algorithm, and
number of top features.
feature set described earlier
feature sets) evaluations (each comprises 64
runs), summing up to 8448 evaluation runs.
the none activity, and tested on the excluded
worms (from the training set) and the none
testing set contained the k excluded worms,
while the none activity appeared in both
combinations of the k worms (k = 1–4).
based on a computer’s measurements, using
machine learning techniques, what is the
achievable level of accuracy?
features to below 30, while maintaining a high
level of accuracy
computer background activity, from which the
training sets were taken, have a significant
influence on the detection accuracy?
based on a training set of known worms?