Improving the Detection of Unknown Computer Worms Activity Using Active Learning

  • Authors:

  • Robert Moskovitch;Nir Nissim;Dima Stopel;Clint Feher;Roman Englert;Yuval Elovici

  • Affiliations:

  • Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel;Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel;Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel;Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel;Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel;Deutsche Telekom Laboratories at Ben-Gurion University, Be'er Sheva, 84105, Israel

  • Venue:
  • KI '07 Proceedings of the 30th annual German conference on Advances in Artificial Intelligence
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

Detecting unknown worms is a challenging task. Extant solutions, such as anti-virus tools, rely mainly on prior explicit knowledge of specific worm signatures. As a result, after the appearance of a new worm on the Web there is a significant delay until an update carrying the worm's signature is distributed to anti-virus tools. We propose an innovative technique for detecting the presence of an unknown worm, based on the computer operating system measurements. We monitored 323 computer features and reduced them to 20 features through feature selection. Support vector machines were applied using 3 kernel functions. In addition we used active learning as a selective sampling method to increase the performance of the classifier, exceeding above 90% mean accuracy, and for specific unknown worms 94% accuracy.