Using artificial neural networks to detect unknown computer worms

Detecting computer worms is a highly challenging task. We present a new approach that uses artificial neural networks (ANN) to detect the presence of computer worms based on measurements of computer behavior. We compare ANN to three other classification methods and show the advantages of ANN for detection of known worms. We then proceed to evaluate ANN’s ability to detect the presence of an unknown worm. As the measurement of a large number of system features may require significant computational resources, we evaluate three feature selection techniques. We show that, using only five features, one can detect an unknown worm with an average accuracy of 90%. We use a causal index analysis of our trained ANN to identify rules that explain the relationships between the selected features and the identity of each worm. Finally, we discuss the possible application of our approach to host-based intrusion detection systems.

[1]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[2]  Robert K. Cunningham,et al.  The 1998 DARPA/AFRL Off-line Intrusion Detection Evaluation , 1998 .

[3]  Z. Boger,et al.  Finding patient cluster attributes using auto-associative ANN modeling , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[4]  Craig Fosnock Computer Worms: Past, Present, and Future , 2005 .

[5]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[6]  InSeon Yoo,et al.  Visualizing windows executable viruses using self-organizing maps , 2004, VizSEC/DMSEC '04.

[7]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[8]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[9]  Jacinth Salome,et al.  Fuzzy Data Mining and Genetic Algorithms Applied to Intrusion Detection , 2007 .

[10]  Kenji Baba,et al.  Explicit representation of knowledge acquired from plant historical data using neural network , 1990, 1990 IJCNN International Joint Conference on Neural Networks.

[11]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[12]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[13]  Zhen Liu,et al.  Classification of anomalous traces of privileged and parallel programs by neural networks , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[14]  Susan M. Bridges,et al.  FUZZY DATA MINING AND GENETIC ALGORITHMS APPLIED TO INTRUSION DETECTION , 2002 .

[15]  Hiroshi Motoda,et al.  Feature Selection for Knowledge Discovery and Data Mining , 1998, The Springer International Series in Engineering and Computer Science.

[16]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[17]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[18]  Andrew H. Sung,et al.  Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligence Techniques , 2003, Int. J. Digit. EVid..

[19]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[20]  Armando Freitas da Rocha,et al.  Neural Nets , 1992, Lecture Notes in Computer Science.

[21]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  Ron Kohavi,et al.  Feature Selection for Knowledge Discovery and Data Mining , 1998 .

[23]  Yuval Shahar,et al.  Application of Artificial Neural Networks Techniques to Computer Worm Detection , 2006, The 2006 IEEE International Joint Conference on Neural Network Proceedings.

[24]  Yuval Shahar,et al.  Improving Worm Detection with Artificial Neural Networks through Feature Selection and Temporal Analysis Techniques , 2008 .

[25]  Mohammad Bagher Menhaj,et al.  Training feedforward networks with the Marquardt algorithm , 1994, IEEE Trans. Neural Networks.

[26]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[27]  Alan Jay Smith,et al.  Building VTrace, a Tracer for Windows NT and Windows 2000 , 2000 .

[28]  Ali A. Ghorbani,et al.  Network intrusion detection using an improved competitive learning neural network , 2004, Proceedings. Second Annual Conference on Communication Networks and Services Research, 2004..

[29]  Z. Boger Selection of quasi-optimal inputs in chemometrics modeling by artificial neural network analysis , 2003 .

[30]  Salvatore J. Stolfo,et al.  Learning Rules from System Call Arguments and Sequences for Anomaly 20 Detection , 2003 .

[31]  Ulrich Ultes-Nitsche,et al.  An Integrated Network Security Approach - Pairing Detecting Malicious Patterns with Anomaly Detection , 2002, ISSA.

[32]  Rossouw von Solms,et al.  Utilising fuzzy logic and trend analysis for effective intrusion detection , 2003, Comput. Secur..

[33]  Howard B. Demuth,et al.  Neutral network toolbox for use with Matlab , 1995 .

[34]  Malcolm I. Heywood,et al.  Predicting intrusions with local linear models , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[35]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[36]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[37]  J. Mesirov,et al.  Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. , 1999, Science.

[38]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..

[39]  A.N. Zincir-Heywood,et al.  On the capability of an SOM based intrusion detection system , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[40]  Salvatore J. Stolfo,et al.  Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses , 2002, RAID.

[41]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[42]  Julie A. Dickerson,et al.  Fuzzy network profiling for intrusion detection , 2000, PeachFuzz 2000. 19th International Conference of the North American Fuzzy Information Processing Society - NAFIPS (Cat. No.00TH8500).