Vague Signature based Worm Detection via Dynamic Program Analysis - PowerPoint PPT Presentation

1 / 5
About This Presentation
Title:

Vague Signature based Worm Detection via Dynamic Program Analysis

Description:

Vague Signature based Worm Detection via Dynamic Program Analysis ... Classifier Tester/ Detector. Online Data. User Space. Knowledge Provider Space. Challenge ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 6
Provided by: xunw
Category:

less

Transcript and Presenter's Notes

Title: Vague Signature based Worm Detection via Dynamic Program Analysis


1
Vague Signature based Worm Detection via Dynamic
Program Analysis
  • Most existing host based worm detection
    approaches are based on worm signatures in the
    form of worm executable binary sequence segments,
    worm behavior on operating systems or networks.
    However, this class of approach are not accurate
    in detecting new worms, as new worms attempt to
    possess new signatures which are not known by the
    worm detection approach during the early
    propagation stage of the new worms.
  • On the other hand, the clear worm signatures
    generated or used by these signature based
    approaches can be used by the worm writer to
    change the worm signatures in order to evade the
    detection.

2
Our Method
  • Light weight dynamic program code analysis
  • Trace system calls information to capture the
    run-time worm and benign program behaviors.
  • Tracing only system service call at kernel level
    occupies less OS resource - light weight.
  • Data mining based worm detection/ classification
  • Our classifier is in a features space with very
    high dimension, up to 80000 features/dimension.
    The classifier is hard to interpret and used by
    the worm writer to modify his worm signature in
    order to evade our detection.
  • Effective and efficient solution to Real World
    problem with Real Code and Experiment data.
  • Learn from big amount data to get general
    applicable knowledge to detect and classify worm.
  • Real experiment with Worm similar to us is very
    rare and hard to carry out.

3
Work Flow
  • Setup experiment environment (appropriate OS and
    appropriate software).
  • Experiment to get system call trace of normal
    Windows binary code and different types of
    Windows worms.
  • Data preprocess.
  • Classifier learning and testing.

4
Data Flow
Binary Code
Experiment
Data
Knowledge Provider Space
User Space
Data Filter
Interested Data
Data Preprocess
Training Data
Data with certain format for specific DM tool
DM tool/ Classifier Learner
Model/ Classifier
DM tool/ Classifier Tester/ Detector
Testing Data
Online Data
5
Challenge
  • Interpretability of the trained model/classifier
  • Currently use SVM, which learns model/classifier
    with very low interpretability.
  • Should and how the user use the or classifier
    without the classification tool (detector)?
  • Other DM tool/algorithm can learn
    model/classifier with higher interpretability.
  • High dimension data
  • 300 system function calls on Windows, less on
    Linux.
  • Number of dimension can larger than 1010.
  • Most DM tools and algorithm cannot handle that.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Vague Signature based Worm Detection via Dynamic Program Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!