PC Worm Detection System Based on the Correlation between User Interactions and Comprehensive Network Behaviors
Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.
- Issue Date
- 2013-08
- Language
- English
- Article Type
- Article
- Keywords
SPREAD
- Citation
IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, v.E96D, no.8, pp.1716 - 1726
- ISSN
- 0916-8532
- Appears in Collection
- CS-Journal Papers(저널논문)
- Files in This Item
- 000323236700015.pdf(1.76 MB)Download
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 1 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.