The internet worm program: an analysis
ACM SIGCOMM Computer Communication Review
Machine Learning
Bayesian Classification With Gaussian Processes
IEEE Transactions on Pattern Analysis and Machine Intelligence
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
A guided tour to approximate string matching
ACM Computing Surveys (CSUR)
Honeypots: Tracking Hackers
A Tutorial on Support Vector Machines for Pattern Recognition
Data Mining and Knowledge Discovery
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Text Categorization with Suport Vector Machines: Learning with Many Relevant Features
ECML '98 Proceedings of the 10th European Conference on Machine Learning
An Application of Machine Learning to Network Intrusion Detection
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
An Analysis of the Slapper Worm
IEEE Security and Privacy
IEEE Security and Privacy
Text classification using string kernels
The Journal of Machine Learning Research
Recent worms: a survey and trends
Proceedings of the 2003 ACM workshop on Rapid malcode
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Learning to detect malicious executables in the wild
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
IEEE Security and Privacy
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Detecting unknown network attacks using language models
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Support vector machines for histogram-based image classification
IEEE Transactions on Neural Networks
A learning system for discriminating variants of malicious network traffic
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Hi-index | 0.00 |
Network intrusion detection systems typically detect worms by examining packet or flow logs for known signatures. Not only does this approach mean worms cannot be detected until the signatures are created, but that variants of known worms will remain undetected since they will have different signatures. The intuitive solution is to write more generic signatures. This solution, however, would increase the false alarm rate and is therefore practically not feasible. This paper reports on the feasibility of using a machine learning technique to detect variants of known worms in real-time. Support vector machines (SVMs) are a machine learning technique known to perform well at various pattern recognition tasks, such as text categorization and handwritten digit recognition. Given the efficacy of SVMs in standard pattern recognition problems this work applies SVMs to the worm detection problem. Specifically, we investigate the optimal configuration of SVMs and associated kernel functions to classify various types of synthetically generated worms. We demonstrate that the optimal configuration for real time detection of variants of known worms is to use a linear kernel, and unnormalized bi-gram frequency counts as input.