The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Intrusion detection using sequences of system calls
Journal of Computer Security
BotTracer: Execution-Based Bot-Like Malware Detection
ISC '08 Proceedings of the 11th international conference on Information Security
A chipset level network backdoor: bypassing host-based firewall & IDS
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
The user is not the enemy: fighting malware by tracking user intentions
Proceedings of the 2008 workshop on New security paradigms
Joint network-host based malware detection using information-theoretic tools
Journal in Computer Virology
Protecting health information on mobile devices
Proceedings of the second ACM conference on Data and Application Security and Privacy
Hi-index | 0.00 |
Compromised computers have been a menace to both personal and business computing. In this paper, we tackle the problem of automated detection of break-ins of new unknown threats such as worms, spyware and adware on personal computers. We propose Break-IN DEtectoR (BINDER), a host-based break-in detection system. Our key observation is that many break-ins make extrusions, stealthy malicious outgoing network connections. BINDER exploits a unique characteristic of personal computers, that most network activities are directly or indirectly triggered by user input. Since threats tend to run as background precesses and thus do not receive any user input, the intuition behind BINDER is that only threats generate connections without user input. By correlating outgoing network connections and processing information with user activities, BINDER can capture extrusions and thus break-ins.