Detecting unknown computer worm activity via support vector machines and active learning

被引:44
作者
Nissim, Nir [1 ,2 ]
Moskovitch, Robert [1 ,2 ]
Rokach, Lior [1 ,2 ]
Elovici, Yuval [1 ,2 ]
机构
[1] Ben Gurion Univ Negev, Deutsch Telekom Labs, IL-84105 Beer Sheva, Israel
[2] Ben Gurion Univ Negev, Dept Informat Syst Engn, IL-84105 Beer Sheva, Israel
关键词
Malware detection; Supervised learning; Active learning;
D O I
10.1007/s10044-012-0296-4
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
To detect the presence of unknown worms, we propose a technique based on computer measurements extracted from the operating system. We designed a series of experiments to test the new technique by employing several computer configurations and background application activities. In the course of the experiments, 323 computer features were monitored. Four feature-ranking measures were used to reduce the number of features required for classification. We applied support vector machines to the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in the presence of misleading instances in the data. Our results indicate a mean detection accuracy in excess of 90 %, and an accuracy above 94 % for specific unknown worms using just 20 features, while maintaining a low false-positive rate when the active learning approach is applied.
引用
收藏
页码:459 / 475
页数:17
相关论文
共 48 条
  • [1] Abou-Assaleh T, 2004, P INT COMP SOFTW APP, P41
  • [2] Aizerman M. A., 1964, Automation and Remote Control, V25, P821
  • [3] [Anonymous], 2014, C4. 5: programs for machine learning
  • [4] [Anonymous], 1997, MACHINE LEARNING, MCGRAW-HILL SCIENCE/ENGINEERING/MATH
  • [5] Barbara D, 2001, P 1 SIAM C DAT MIN
  • [6] Boser B. E., 1992, Proceedings of the Fifth Annual ACM Workshop on Computational Learning Theory, P144, DOI 10.1145/130385.130401
  • [7] Utilising fuzzy logic and trend analysis for effective intrusion detection
    Botha, M
    von Solms, R
    [J]. COMPUTERS & SECURITY, 2003, 22 (05) : 423 - 434
  • [8] Bridges SM, 2000, P NAT INF SYST SEC C, P6
  • [9] A tutorial on Support Vector Machines for pattern recognition
    Burges, CJC
    [J]. DATA MINING AND KNOWLEDGE DISCOVERY, 1998, 2 (02) : 121 - 167
  • [10] Cert, 2000, MULT DEN OF SERV PRO