A Method for Efficient Malicious Code Detection Based on Conceptual Similarity

Nowadays, a lot of techniques have been applied for the detection of malicious behavior. However, the current techniques taken into practice are facing with the challenge of much variations of the original malicious behavior, and it is impossible to respond the new forms of behavior appropriately and timely. With the questions above, we suggest a new method here to improve the current situation. Basically, we use conceptual graph to define malicious behavior, and then we are able to compare the similarity relations of the malicious behavior by testing the formalized values which generated by the predefined graphs in the code. In this paper, we show how to make a conceptual graph and propose an efficient method for similarity measure to discern the malicious behavior. As a result of our experiment, we can get more efficient detection rate. It can be used in detecting malicious codes in the script based programming environment of many kinds of embedded systems or telematics systems.

[1]  Alphonse Karr Worms and Viruses and Botnets, Oh My! Rational Responses to Emerging Internet Threats , 2006 .

[2]  Pavlin Dobrev,et al.  CGWorld-2001 - New Features and New Directions , 2001 .

[3]  Pei Cao,et al.  Hash-AV: fast virus signature scanning by cache-resident filters , 2005, GLOBECOM.

[4]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[5]  Jon D. Pelletier,et al.  Long-range persistence in climatological and hydrological time series: analysis, modeling and application to drought hazard assessment , 1997 .

[6]  Igor Muttik STRIPPING DOWN AN AV ENGINE , 2000 .

[7]  Alexander F. Gelbukh,et al.  Flexible Comparison of Conceptual GraphsWork done under partial support of CONACyT, CGEPI-IPN, and SNI, Mexico , 2001, DEXA.

[8]  Michael S. Borella,et al.  Self-similarity of Internet packet delay , 1997, Proceedings of ICC'97 - International Conference on Communications.

[9]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[10]  Vijay Varadharajan,et al.  A Practical Method to Counteract Denial of Service Attacks , 2003, ACSC.

[11]  Y. Xiang,et al.  Detecting DDOS attack based on network self-similarity , 2004 .

[12]  Metin Akay,et al.  A comparison of analytical methods for the study of fractional brownian motion , 1996, Annals of Biomedical Engineering.

[13]  Patrice Abry,et al.  A statistical test for the time constancy of scaling exponents , 2001, IEEE Trans. Signal Process..

[14]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[15]  G.A. Marin,et al.  The LoSS Technique for Detecting New Denial of Service Attacks , 2004, IEEE SoutheastCon, 2004. Proceedings..

[16]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[17]  Walter Willinger,et al.  Self-similar traffic and network dynamics , 2002, Proc. IEEE.

[18]  David K. Y. Yau,et al.  You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers , 2005, IEEE Transactions on Parallel and Distributed Systems.

[19]  Walter Willinger,et al.  Proof of a fundamental result in self-similar traffic modeling , 1997, CCRV.

[20]  E. H. Lloyd,et al.  Long-Term Storage: An Experimental Study. , 1966 .

[21]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[22]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[23]  Vern Paxson,et al.  Fast, approximate synthesis of fractional Gaussian noise for generating self-similar network traffic , 1997, CCRV.

[24]  Biplab Sikdar,et al.  Queue management algorithms and network traffic self-similarity , 2002, Workshop on High Performance Switching and Routing, Merging Optical and IP Technologie.

[25]  S. Liu,et al.  On the defense of the distributed denial of service attacks: an on-off feedback control approach , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[26]  Svetlana Hensman,et al.  Construction of Conceptual Graph Representation of Texts , 2004, NAACL.

[27]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[28]  Yong Yu,et al.  Learning to Generate CGs from Domain Specific Sentences , 2001, ICCS.

[29]  Shigang Chen,et al.  Perimeter-based defense against high bandwidth DDoS attacks , 2005, IEEE Transactions on Parallel and Distributed Systems.

[30]  W. Schleifer,et al.  Online error detection through observation of traffic self-similarity , 2001 .

[31]  Ming Li,et al.  An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition , 2004, Comput. Secur..

[32]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[33]  Philip L. Campbell,et al.  The denial-of-service dance , 2005, IEEE Security & Privacy Magazine.

[34]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[35]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[36]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[37]  Stéphane Mallat,et al.  A Theory for Multiresolution Signal Decomposition: The Wavelet Representation , 1989, IEEE Trans. Pattern Anal. Mach. Intell..

[38]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[39]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[40]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[41]  Patrice Abry,et al.  A Wavelet-Based Joint Estimator of the Parameters of Long-Range Dependence , 1999, IEEE Trans. Inf. Theory.

[42]  Amund Kvalbein,et al.  An empirical comparison of generators for self similar simulated traffic , 2007, Perform. Evaluation.

[43]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[44]  C. Sparrow The Fractal Geometry of Nature , 1984 .

[45]  Yoshitaka Shibata,et al.  Empirical study of inter-arrival packet times and packet losses , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[46]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[47]  Yong Yu,et al.  Conceptual Graph Matching for Semantic Search , 2002, ICCS.

[48]  Harry S. Delugach CharGer: A Graphical Conceptual Graph Editor , 2001 .

[49]  Alexander F. Gelbukh,et al.  Comparison of Conceptual Graphs , 2000, MICAI.

[50]  Clay Shields,et al.  What do we mean by Network Denial of Service , 2002 .

[51]  Jean-François Baget,et al.  Simple Conceptual Graphs Revisited: Hypergraphs and Conjunctive Types for Efficient Projection Algorithms , 2003 .

[52]  P. Welch The use of fast Fourier transform for the estimation of power spectra: A method based on time averaging over short, modified periodograms , 1967 .

[53]  John F. Sowa,et al.  Conceptual Structures: Information Processing in Mind and Machine , 1983 .

[54]  B. Mandelbrot How Long Is the Coast of Britain? Statistical Self-Similarity and Fractional Dimension , 1967, Science.

[55]  Gilad Mishne,et al.  Source Code Retrieval using Conceptual Similarity , 2004, RIAO.