Windows NT/2000 Native API Reference
Windows NT/2000 Native API Reference
Undocumented Windows NT
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
IEEE Security and Privacy
Proceedings of the 2004 ACM workshop on Rapid malcode
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
The entropia virtual machine for desktop grids
Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Implementing and testing a virus throttle
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Intrusion detection using sequences of system calls
Journal of Computer Security
A distributed host-based worm detection system
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Proceedings of the 4th ACM workshop on Recurring malcode
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Dependency-based distributed intrusion detection
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Security against probe-response attacks in collaborative intrusion detection
Proceedings of the 2007 workshop on Large scale attack defense
Continuous Time Bayesian Networks for Host Level Network Intrusion Detection
ECML PKDD '08 Proceedings of the European conference on Machine Learning and Knowledge Discovery in Databases - Part II
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
A survey of data mining techniques for malware detection using file features
Proceedings of the 46th Annual Southeast Regional Conference on XX
Peer-to-Peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale
ISC '09 Proceedings of the 12th International Conference on Information Security
Community epidemic detection using time-correlated anomalies
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Intrusion detection using continuous time Bayesian networks
Journal of Artificial Intelligence Research
Towards robust and efficient computation in dynamic peer-to-peer networks
Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete Algorithms
Zero-day malware detection based on supervised learning algorithms of API call signatures
AusDM '11 Proceedings of the Ninth Australasian Data Mining Conference - Volume 121
Storage and search in dynamic peer-to-peer networks
Proceedings of the twenty-fifth annual ACM symposium on Parallelism in algorithms and architectures
Detecting malicious behaviour using supervised learning algorithms of the function calls
International Journal of Electronic Security and Digital Forensics
Carat: collaborative energy diagnosis for mobile devices
Proceedings of the 11th ACM Conference on Embedded Networked Sensor Systems
Hi-index | 0.01 |
We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers' behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms' temporal consistency, similarity (low temporal variance) in worms' invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five non-worms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.