BINDER: an extrusion-based break-in detector for personal computers

Authors:
Weidong Cui;Randy H. Katz;Wai-tian Tan
Affiliations:
University of California, Berkeley and Hewlett-Packard Laboratories;University of California, Berkeley and Hewlett-Packard Laboratories;University of California, Berkeley and Hewlett-Packard Laboratories
Venue:
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Year:
2005

Citing 7
Cited 5

The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
A framework for constructing features and models for intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Intrusion detection using sequences of system calls

Journal of Computer Security

BotTracer: Execution-Based Bot-Like Malware Detection

ISC '08 Proceedings of the 11th international conference on Information Security
A chipset level network backdoor: bypassing host-based firewall & IDS

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
The user is not the enemy: fighting malware by tracking user intentions

Proceedings of the 2008 workshop on New security paradigms
Joint network-host based malware detection using information-theoretic tools

Journal in Computer Virology
Protecting health information on mobile devices

Proceedings of the second ACM conference on Data and Application Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Compromised computers have been a menace to both personal and business computing. In this paper, we tackle the problem of automated detection of break-ins of new unknown threats such as worms, spyware and adware on personal computers. We propose Break-IN DEtectoR (BINDER), a host-based break-in detection system. Our key observation is that many break-ins make extrusions, stealthy malicious outgoing network connections. BINDER exploits a unique characteristic of personal computers, that most network activities are directly or indirectly triggered by user input. Since threats tend to run as background precesses and thus do not receive any user input, the intuition behind BINDER is that only threats generate connections without user input. By correlating outgoing network connections and processing information with user activities, BINDER can capture extrusions and thus break-ins.