Improving Worm Detection with Artificial Neural Networks through Feature Selection and Temporal Analysis Techniques
Computer worm detection is commonly performed by
antivirus software tools that rely on prior explicit knowledge of the
worm-s code (detection based on code signatures). We present an
approach for detection of the presence of computer worms based on
Artificial Neural Networks (ANN) using the computer's behavioral
measures. Identification of significant features, which describe the
activity of a worm within a host, is commonly acquired from security
experts. We suggest acquiring these features by applying feature
selection methods. We compare three different feature selection
techniques for the dimensionality reduction and identification of the
most prominent features to capture efficiently the computer behavior
in the context of worm activity. Additionally, we explore three
different temporal representation techniques for the most prominent
features. In order to evaluate the different techniques, several
computers were infected with five different worms and 323 different
features of the infected computers were measured. We evaluated
each technique by preprocessing the dataset according to each one
and training the ANN model with the preprocessed data. We then
evaluated the ability of the model to detect the presence of a new
computer worm, in particular, during heavy user activity on the
infected computers.
[1] P. Kabiri and A.A. Ghorbani, "Research on intrusion detection and
response: A survey," International Journal of Network Security, vol.
1(2) Sept. 2005, pp. 84-102.
[2] S. Zanero and S.M. Savaresi, "Unsupervised learning techniques for an
intrusion detection system," Proc. 2004 ACM symposium on Applied
Computing, 2004, pp. 412-419.
[3] H.G. Kayacik, A.N. Zincir-Heywood and M.I. Heywood "On the
capability of an SOM based intrusion detection system," Proc. Int. Joint
Conf. Neural Networks Vol. 3, 2003, pp. 1808-1813.
[4] J. Z. Lei and A. Ghorbani, "Network intrusion detection using an
improved competitive learning neural network," Proc. Second Annual
Conf. Communication Networks and Services Research (CNSR04),
2004, pp. 190-197.
[5] P. Z. Hu and Malcolm I. Heywood, "Predicting intrusions with local
linear model," Proc. Int. Joint Conf. Neural Networks, Vol. 3, 2003, pp.
1780-1785.
[6] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using
neural networks and support vector machines," Proc. High Performance
Computing Symposium - HPC 2002, pp 178-183.
[7] I. Yoo. "Visualizing windows executable viruses using self-organizing
maps," Proc. 2004 ACM Workshop on Visualization and Data Mining
for Computer Security. 2004.
[8] U. Ultes-Nitsche and I. Yoo. "An Integrated Network Security
Approach: Pairing Detecting Malicious Patterns with Anomaly
Detection," Proc. Conference on Korean Science and Engineering
Association in UK.
[9] Z. Liu, S.M. Bridges and R.B. Vaughn "Classification of anomalous
traces of privileged and parallel programs by neural networks," Proc.
FuzzIEEE 2003, pp. 1225-1230.
[10] D. Stopel, Z. Boger, R. Moskovitch, Y. Shahar and Y. Elovici.
"Application of Artificial Neural Networks Techniques to Computer
Worm Detection," Proc. International Joint Conference on Neural
Networks, Vancouver, 2006.
[11] M.B. Hagan, M.T. Menhaj. "Training feed forward networks with the
Marquardt algorithm," IEEE Transactions on Neural Networks, Vol.
5(6), 1994, pp. 989-993.
[12] Z. Boger. "Selection of the quasi-optimal inputs in chemometric
modeling by artificial neural network analysis," Analytica Chimica Acta
490(1-2) (2003) 31-40
[13] T. Golub, D. Slonim, P. Tamaya, C. Huard, M. Gaasenbeek, J. Mesirov,
H. Coller, M. Loh, J. Downing, M. Caligiuri, C. Bloomfield, and E.
Lander. "Molecular classification of cancer: Class discovery and class
prediction by gene expression monitoring," Science, 286:531-537, 1999.
[14] T. Mitchell. Machine Learning. McGraw-Hill, 1997.
[15] J. Lorch, A. J. Smith. "The VTrace tool: building a system tracer for
Windows NT and Windows 2000," MSDN Magazine, 15(10):86-102,
October 2000.
[16] I.H. Witten and E. Frank, Data Mining: Practical machine learning
tools and techniques, 2nd Edition, Morgan Kaufmann, San Francisco,
2005.
[17] K. Baba, I. Enbutu, M. Yoda. "Explicit representation of knowledge
acquired from plant historical data using neural network," Proc.
International Joint Conference on Neural Networks, Vol. 3 (1990) 155-
160
[18] (342/2006) R. Moskovitch, I. Gus, S. Pluderman, D. Stopel, C. Glezer,
Y. Shahar, Y. Elovici. "Detection of Unknown Computer Worms
Activity Based on Computer Behavior using Machine Learning
Techniques," Department of Information System Engineering, Ben-
Gurion University of the Negev, Israel (2006)
[1] P. Kabiri and A.A. Ghorbani, "Research on intrusion detection and
response: A survey," International Journal of Network Security, vol.
1(2) Sept. 2005, pp. 84-102.
[2] S. Zanero and S.M. Savaresi, "Unsupervised learning techniques for an
intrusion detection system," Proc. 2004 ACM symposium on Applied
Computing, 2004, pp. 412-419.
[3] H.G. Kayacik, A.N. Zincir-Heywood and M.I. Heywood "On the
capability of an SOM based intrusion detection system," Proc. Int. Joint
Conf. Neural Networks Vol. 3, 2003, pp. 1808-1813.
[4] J. Z. Lei and A. Ghorbani, "Network intrusion detection using an
improved competitive learning neural network," Proc. Second Annual
Conf. Communication Networks and Services Research (CNSR04),
2004, pp. 190-197.
[5] P. Z. Hu and Malcolm I. Heywood, "Predicting intrusions with local
linear model," Proc. Int. Joint Conf. Neural Networks, Vol. 3, 2003, pp.
1780-1785.
[6] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using
neural networks and support vector machines," Proc. High Performance
Computing Symposium - HPC 2002, pp 178-183.
[7] I. Yoo. "Visualizing windows executable viruses using self-organizing
maps," Proc. 2004 ACM Workshop on Visualization and Data Mining
for Computer Security. 2004.
[8] U. Ultes-Nitsche and I. Yoo. "An Integrated Network Security
Approach: Pairing Detecting Malicious Patterns with Anomaly
Detection," Proc. Conference on Korean Science and Engineering
Association in UK.
[9] Z. Liu, S.M. Bridges and R.B. Vaughn "Classification of anomalous
traces of privileged and parallel programs by neural networks," Proc.
FuzzIEEE 2003, pp. 1225-1230.
[10] D. Stopel, Z. Boger, R. Moskovitch, Y. Shahar and Y. Elovici.
"Application of Artificial Neural Networks Techniques to Computer
Worm Detection," Proc. International Joint Conference on Neural
Networks, Vancouver, 2006.
[11] M.B. Hagan, M.T. Menhaj. "Training feed forward networks with the
Marquardt algorithm," IEEE Transactions on Neural Networks, Vol.
5(6), 1994, pp. 989-993.
[12] Z. Boger. "Selection of the quasi-optimal inputs in chemometric
modeling by artificial neural network analysis," Analytica Chimica Acta
490(1-2) (2003) 31-40
[13] T. Golub, D. Slonim, P. Tamaya, C. Huard, M. Gaasenbeek, J. Mesirov,
H. Coller, M. Loh, J. Downing, M. Caligiuri, C. Bloomfield, and E.
Lander. "Molecular classification of cancer: Class discovery and class
prediction by gene expression monitoring," Science, 286:531-537, 1999.
[14] T. Mitchell. Machine Learning. McGraw-Hill, 1997.
[15] J. Lorch, A. J. Smith. "The VTrace tool: building a system tracer for
Windows NT and Windows 2000," MSDN Magazine, 15(10):86-102,
October 2000.
[16] I.H. Witten and E. Frank, Data Mining: Practical machine learning
tools and techniques, 2nd Edition, Morgan Kaufmann, San Francisco,
2005.
[17] K. Baba, I. Enbutu, M. Yoda. "Explicit representation of knowledge
acquired from plant historical data using neural network," Proc.
International Joint Conference on Neural Networks, Vol. 3 (1990) 155-
160
[18] (342/2006) R. Moskovitch, I. Gus, S. Pluderman, D. Stopel, C. Glezer,
Y. Shahar, Y. Elovici. "Detection of Unknown Computer Worms
Activity Based on Computer Behavior using Machine Learning
Techniques," Department of Information System Engineering, Ben-
Gurion University of the Negev, Israel (2006)
@article{"International Journal of Information, Control and Computer Sciences:50195", author = "Dima Stopel and Zvi Boger and Robert Moskovitch and Yuval Shahar and Yuval Elovici", title = "Improving Worm Detection with Artificial Neural Networks through Feature Selection and Temporal Analysis Techniques", abstract = "Computer worm detection is commonly performed by
antivirus software tools that rely on prior explicit knowledge of the
worm-s code (detection based on code signatures). We present an
approach for detection of the presence of computer worms based on
Artificial Neural Networks (ANN) using the computer's behavioral
measures. Identification of significant features, which describe the
activity of a worm within a host, is commonly acquired from security
experts. We suggest acquiring these features by applying feature
selection methods. We compare three different feature selection
techniques for the dimensionality reduction and identification of the
most prominent features to capture efficiently the computer behavior
in the context of worm activity. Additionally, we explore three
different temporal representation techniques for the most prominent
features. In order to evaluate the different techniques, several
computers were infected with five different worms and 323 different
features of the infected computers were measured. We evaluated
each technique by preprocessing the dataset according to each one
and training the ANN model with the preprocessed data. We then
evaluated the ability of the model to detect the presence of a new
computer worm, in particular, during heavy user activity on the
infected computers.", keywords = "Artificial Neural Networks, Feature Selection,
Temporal Analysis, Worm Detection.", volume = "2", number = "9", pages = "2887-7", }