Skip to main content
SpringerLink
Log in

Using artificial neural networks to detect unknown computer worms

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Detecting computer worms is a highly challenging task. We present a new approach that uses artificial neural networks (ANN) to detect the presence of computer worms based on measurements of computer behavior. We compare ANN to three other classification methods and show the advantages of ANN for detection of known worms. We then proceed to evaluate ANN’s ability to detect the presence of an unknown worm. As the measurement of a large number of system features may require significant computational resources, we evaluate three feature selection techniques. We show that, using only five features, one can detect an unknown worm with an average accuracy of 90%. We use a causal index analysis of our trained ANN to identify rules that explain the relationships between the selected features and the identity of each worm. Finally, we discuss the possible application of our approach to host-based intrusion detection systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. http://www.prelude-ids.org/.

  2. Symantec threat explorer: http://www.symantec.com/enterprise/security_response/threatexplorer.

  3. Kaspersky virus list:http://www.viruslist.com/.

  4. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-s/sag_mpmonperf_02a.mspx.

References

  1. Kabiri P, Ghorbani A (2005) Research on intrusion detection and response: a survey. Int J Netw Secur 1(2):84–102

    Google Scholar 

  2. Barbara D, Wu N, Jajodia S (2001) Detecting novel network intrusions using Bayes estimators. In: Proceedings of the first SIAM international conference on data mining

  3. Zanero S, Savaresi S (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the ACM symposium on applied computing

  4. Botha M, Solms R (2003) Utilising fuzzy logic and trend analysis for effective intrusion detection. Comput Secur 22(5):423–434. doi:10.1016/S0167-4048(03)00511-X

    Article  Google Scholar 

  5. Kienzle D, Elder M (2003) Recent worms: a survey and trends. In: Proceedings of the ACM workshop on rapid malcode

  6. Fosnock C (2005) Computer worms: past, present, and future. Infosec

  7. Henry P (2003) A brief look at the evolution of killer worms. A CyberGuard Corporation White Paper

  8. Stopel D, Boger Z, Moskovitch R, Shahar Y, Elovici Y (2006) Application of artificial neural networks techniques to computer worm detection. In: Proceedings of the international joint conference on neural networks

  9. Stopel D, Boger Z, Moskovitch R, Shahar Y, Elovici Y (2006) Improving worm detection with artificial neural networks through feature selection and temporal analysis techniques. Int J Comput Sci Eng 15:202–209

    Google Scholar 

  10. Moore D, Shannon C, Brown J (2002) Code Red: a case study on the spread and victims of an internet worm. In: Proceedings of the internet measurement workshop

  11. Weaver N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy of computer worms. In: Proceedings of the ACM workshop on rapid malcode

  12. CERT CERT Advisory CA-2000-04. Love letter worm. http://www.cert.org/advisories/ca-2000-04.html

  13. Lee W, Stolfo S, Mok K (1999) A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy

  14. Lippmann R, Graf I, Wyschogrod D, Webster S, Weber D, Gorton S (1998) The 1998 DARPA/AFRL off-line intrusion detection evaluation. In: Proceedings of the first international workshop on recent advances in intrusion detection

  15. Gunes H, Kayacik A, Zincir-Heywood N, Heywood M (2003) On the capability of an SOM based intrusion detection system. In: Proceedings of the international joint conference on neural networks

  16. Lei J, Ghorbani A (2004) Network intrusion detection using an improved competitive learning neural network. In: Proceedings of the second annual conference on communication networks and services research

  17. Hu P, Heywood M (2003) Predicting intrusions with local linear model. In: Proceedings of the international joint conference on neural networks

  18. Dickerson J, Dickerson J (2000) Fuzzy network profiling for intrusion detection. In: Proceedings of the 19th international conference of the North American Fuzzy Information Processing Society (NAFIPS)

  19. Bridges S, Vaughn Rayford M (2000) Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the 23rd national information systems security conference

  20. Yoo I (2004) Visualizing windows executable viruses using self-organizing maps. In: Proceedings of the ACM workshop on visualization and data mining for computer security

  21. Ultes-Nitsche U, Yoo I (2002) An integrated network security approach: pairing detecting malicious patterns with anomaly detection. In: Proceedings of the second conference on information security for South Africa

  22. Liu Z, Bridges S, Vaughn R (2003) Classification of anomalous traces of privileged and parallel programs by neural networks. In: Proceedings of the IEEE international conference on fuzzy systems

  23. Apap F, Honig A, Hershkop S, Eskin E, Stolfo S (2002) Detecting malicious software by monitoring anomalous windows registry accesses. In: Proceedings of the fifth international symposium on recent advances in intrusion detection

  24. Mukkamala S, Sung A (2003) Identifying significant features for network forensic analysis using artificial intelligent techniques. Int J Digit Evidence 1(4):1–17

    Google Scholar 

  25. Handley M, Kreibich C, Paxson V (2001) Network intrusion detection: evasion, traffic normalization. In: Proceedings of the 10th USENIX security symposium

  26. Mukherjee B, Heberlein L, Levitt K (1994) Network intrusion detection. IEEE Netw 8(3):26–41. doi:10.1109/65.283931

    Article  Google Scholar 

  27. Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of the IEEE symposium on security and privacy

  28. Wespi A, Dacier M, Debar H (2000) Intrusion detection using variable-length audit trail patterns. In: Proceedings of the international workshop on recent advances in intrusion detection

  29. Tandon G, Chan P (2003) Learning rules from system call arguments and sequences for anomaly detection. In: Proceedings of the ICDM workshop on data mining for computer security

  30. Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of intrusion–detection systems. Comput Netw 31:805–822. doi:10.1016/S1389-1286(98)00017-6

    Article  Google Scholar 

  31. Sarle W (2002) Neural Network FAQ, part 1 of 7: Introduction. Periodic posting to the Usenet newsgroup comp.ai.neural-nets. ftp://ftp.sas.com/pub/neural/FAQ.html

  32. Bishop C (1995) Neural networks for pattern recognition. Clarendon Press, Oxford

    Google Scholar 

  33. Boger Z (2003) Finding patient’s cluster’s attributes by auto-associative ANN modeling. In: Proceedings of the international joint conference on neural networks

  34. Hagan M, Menhaj M (1994) Training feed forward networks with the Marquardt algorithm. IEEE Trans Neural Netw 5(6):989–993. doi:10.1109/72.329697

    Article  Google Scholar 

  35. Demuth H, Beale M (1993) Neural network toolbox for use with Matlab. The Mathworks Inc., MA

    Google Scholar 

  36. Quinlan J (1993) C4.5: Programs for machine learning. Morgan Kaufmann, San Francisco

  37. Mitchell T (1997) Machine learning. McGraw-Hill, New York

  38. Cortes C, Vapnik V (1995) Support-vector networks. Mach Learn 20(3):273–297

    MATH  Google Scholar 

  39. Liu H, Motorda H (1998) Feature selection for knowledge discovery and data mining. Kluwer Academic Publishers. Norwell, MA

    Google Scholar 

  40. Boger Z (2003) Selection of the quasi-optimal inputs in chemometric modeling by artificial neural network analysis. Anal Chim Acta 490(1–2):31–40. doi:10.1016/S0003-2670(03)00349-0

    Article  Google Scholar 

  41. Golub T, Slonim D, Tamaya P, Huard C, Gaasenbeek M, Mesirov J, Coller H, Loh M, Downing J, Caligiuri M, Bloomfield C, Lander E (1997) Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. Science 286:531–537. doi:10.1126/science.286.5439.531

    Article  Google Scholar 

  42. Baba K, Enbutu I, Yoda M (1990) Explicit representation of knowledge acquired from plant historical data using neural network. In: Proceedings of the international joint conference on neural networks

  43. Lorch J, Smith A (2000) The VTrace tool: building a system tracer for Windows NT, Windows 2000. MSDN Mag 15(10):86–102

    Google Scholar 

  44. Witten I, Frank E (2005) Data Mining: practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco

    MATH  Google Scholar 

Download references

Acknowledgments

This study was done as a part of a Deutsche-Telekom Co./Ben-Gurion University joint research project. We would like to thank Clint Feher for providing the worm software and for creating the large number of security data sets used in this study.

Author information

Authors and Affiliations

  1. Deutsche Telekom Laboratories at Ben-Gurion University, 84105, Beersheba, Israel

    Dima Stopel, Robert Moskovitch, Zvi Boger, Yuval Shahar & Yuval Elovici

  2. Optimal-Industrial Neural Systems, 84243, Beersheba, Israel

    Zvi Boger

Authors
  1. Dima Stopel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robert Moskovitch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zvi Boger
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuval Shahar
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yuval Elovici
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dima Stopel.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Stopel, D., Moskovitch, R., Boger, Z. et al. Using artificial neural networks to detect unknown computer worms. Neural Comput & Applic 18, 663–674 (2009). https://doi.org/10.1007/s00521-009-0238-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-009-0238-2

Keywords

Search

Navigation