3rd International ICST Conference on Security and Privacy in Communication Networks

Research Article

Detecting Worms via Mining Dynamic Program Execution

  • @INPROCEEDINGS{10.1109/SECCOM.2007.4550362,
        author={Xun Wang and Wei Yu and Adam  Champion and Xinwen  Fu and Dong Xuan},
        title={Detecting Worms via Mining Dynamic Program Execution},
        proceedings={3rd International ICST Conference on Security and Privacy in Communication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2008},
        month={6},
        keywords={Worm detection  data mining  dynamic program analysis  system call tracing},
        doi={10.1109/SECCOM.2007.4550362}
    }
    
  • Xun Wang
    Wei Yu
    Adam Champion
    Xinwen Fu
    Dong Xuan
    Year: 2008
    Detecting Worms via Mining Dynamic Program Execution
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOM.2007.4550362
Xun Wang, Wei Yu, Adam Champion, Xinwen Fu, Dong Xuan

    Abstract

    Worm attacks have been major security threats to the Internet. Detecting worms, especially new, unseen worms, is still a challenging problem. In this paper, we propose a new worm detection approach based on mining dynamic program executions. This approach captures dynamic program behavior to provide accurate and efficient detection against both seen and unseen worms. In particular, we execute a large number of real-world worms and benign programs (executables), and trace their system calls. We apply two classifier-learning algorithms (Naive Bayes and Support Vector Machine) to obtain classifiers from a large number of features extracted from the system call traces. The learned classifiers are further used to carry out rapid worm detection with low overhead on the end-host. Our experimental results clearly demonstrate the effectiveness of our approach to detect new worms in terms of a very high detection rate and a low false positive rate.