Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content

The early detection, alert and response (eDare) framework is presented in this paper. The goal of this framework is to address the risks stemming from malicious software propagating via networks operated by Internet/network service providers (ISP/NSP). To achieve this goal, eDare employs network-based traffic scanning appliances that enable sanitation of Internet traffic of known malware. Remaining traffic is extracted and various types of algorithms are invoked in an attempt to detect instances of previously un-encountered malware and to generate a unique and simple byte-string signature for such malware. That signature is immediately uploaded to the aforementioned network traffic scanners. To augment judgments of the algorithms, human experts are consulted for assistance in classifying files suspected of being malware about which the automatic detection algorithms are not sufficiently decisive. Finally, collaborative feedback and tips from end-users are meshed into the identification process. This makes tackling of suspect files, whose impact can be assessed on a large, distributed scale, possible. The system incorporates static and behavioral analysis of malware and novel automatic signature generation algorithm. eDare was implemented and tested using an evaluation environment especially developed for that purpose. The results suggest that eDare can detect and remove unknown malware effectively. Copyright © 2010 John Wiley & Sons, Ltd.

[1]  Robert C. Holte,et al.  Very Simple Classification Rules Perform Well on Most Commonly Used Datasets , 1993, Machine Learning.

[2]  Andrew H. Sung,et al.  Intrusion detection using an ensemble of intelligent paradigms , 2005, J. Netw. Comput. Appl..

[3]  Survey on Malware Detection Methods , 2009 .

[4]  Surasak Sanguanpong,et al.  A Rule-based Approach for Port Scanning Detection , 2000 .

[5]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[6]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[7]  J. Mesirov,et al.  Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. , 1999, Science.

[8]  Marcus A. Maloof,et al.  Learning to detect malicious executables in the wild , 2004, KDD.

[9]  Yuval Shahar,et al.  Evaluation of a temporal-abstraction knowledge acquisition tool in the network security domain , 2007, K-CAP '07.

[10]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[12]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[13]  Peter Clark,et al.  Rule Induction with CN2: Some Recent Improvements , 1991, EWSL.

[14]  David W. Opitz,et al.  Generating Accurate and Diverse Members of a Neural-Network Ensemble , 1995, NIPS.

[15]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[16]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .

[17]  Ehud Gudes,et al.  A Distributed Framework for the Detection of New Worm-Related Malware , 2008, EuroISI.

[18]  Hao Wang,et al.  NetSpy: Automatic Generation of Spyware Signatures for NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[19]  Judea Pearl,et al.  Evidential Reasoning Using Stochastic Simulation of Causal Models , 1987, Artif. Intell..

[20]  Robert Moskovitch,et al.  Acquisition of Malicious Code Using Active Learning , 2008 .

[21]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[22]  Yuval Shahar,et al.  An intelligent, interactive tool for exploration and visualization of time-oriented security data , 2006, VizSEC '06.

[23]  David W. Aha,et al.  Instance-Based Learning Algorithms , 1991, Machine Learning.

[24]  Yuval Elovici,et al.  Unknown Malicious Code Detection – Practical Issues , 2008 .

[25]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[26]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[27]  Vlado Keselj,et al.  N-gram-based detection of new malicious code , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[28]  Yuval Elovici,et al.  Applying Machine Learning Techniques for Detection of Malicious Code in Network Traffic , 2007, KI.

[29]  Kagan Tumer,et al.  Error Correlation and Error Reduction in Ensemble Classifiers , 1996, Connect. Sci..

[30]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[31]  Lior Rokach,et al.  Improving malware detection by applying multi-inducer ensemble , 2009, Comput. Stat. Data Anal..

[32]  Yuval Shahar,et al.  Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics , 2010, Journal in Computer Virology.

[33]  Wray L. Buntine,et al.  A theory of learning classification rules , 1990 .

[34]  Symeon Papavassiliou,et al.  Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction , 2004, Journal of Network and Systems Management.

[35]  Rami Puzis,et al.  Deployment of DNIDS in Social Networks , 2007, 2007 IEEE Intelligence and Security Informatics.

[36]  Yuval Elovici,et al.  Unknown malcode detection — A chronological evaluation , 2008, 2008 IEEE International Conference on Intelligence and Security Informatics.

[37]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[38]  Ehud Gudes,et al.  Method for Detecting Unknown Malicious Executables , 2009, RAID.

[39]  Yuval Shahar,et al.  A Framework for Knowledge-Based Temporal Abstraction , 1997, Artif. Intell..

[40]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[41]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[42]  Yuval Elovici,et al.  Unknown Malcode Detection Using OPCODE Representation , 2008, EuroISI.

[43]  Pat Langley,et al.  Estimating Continuous Distributions in Bayesian Classifiers , 1995, UAI.

[44]  Salim Hariri,et al.  Impact Analysis of Faults and Attacks in Large-Scale Networks , 2003, IEEE Secur. Priv..

[45]  Carlos Kelly,et al.  An Ensemble of Anomaly Classifiers for Identifying Cyber Attacks ∗ , .

[46]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[47]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[48]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[49]  H. Altay Güvenir,et al.  Classification by Voting Feature Intervals , 1997, ECML.

[50]  Jianping Yin,et al.  Malicious Codes Detection Based on Ensemble Learning , 2007, ATC.

[51]  Tzi-cker Chiueh,et al.  Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[52]  Yuval Elovici,et al.  Malicious Code Detection Using Active Learning , 2009, PinKDD.