research-article

Exploring Worm Behaviors using DTW

Authors:

Manoj Singh Gaur,

Muttukrishnan RajarajanAuthors Info & Claims

SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Pages 379 - 384

https://doi.org/10.1145/2659651.2659737

Published: 09 September 2014 Publication History

Abstract

Worms are becoming a potential threat to Internet users across the globe. The financial damages due to computer worms increased significantly in past few years. Analyzing these hazardous worm attacks has become a crucial issue to be addressed. Given the fact that worm analysts would prefer to analyze classes of worms rather than individual files, their task will be significantly reduced. In this paper, we have proposed a dynamic host--based worm categorization approach to segregate worms. These groups indicate that worm samples constitute different behavior according to their infection and anti--detection vectors. Our proposed approach utilizes system--call traces and computes a distance matrix using Dynamic Time Warping (DTW) algorithm to form these groups. In conjunction to that, the proposed approach also discriminates worm and benign executables. The constructed model is further evaluated with unknown instances of real--world worms.

References

[1]

Dynamic time warping. In Information Retrieval for Music and Motion, pages 69--84. Springer Berlin Heidelberg, 2007.

[2]

B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane. Graph-based malware detection using dynamic analysis. J. Comput. Virol., 7(4):247--258, 2011.

Digital Library

[3]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior--based malware clustering. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, 2009.

[4]

V. H. Berk, R. S. Gray, and G. Bakos. Using sensor networks and data fusion for early detection of active worms. volume 5071, pages 92--104, 2003.

[5]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Detection, volume 36 of Advances in Information Security, pages 65--88. 2008.

[6]

X. Chen, J. Andersen, Z. Morley, M. Michael, and B. J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In In Proceedings of the International Conference on Dependable Systems and Networks, 2008.

[7]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, pages 51--62, New York, NY, USA, 2008. ACM.

Digital Library

[8]

M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 45--60, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[9]

L. Gupta, D. L. Molfese, R. Tammana, and P. G. Simos. Nonlinear alignment and averaging for estimating the evoked potential. Biomedical Engineering, IEEE Transactions on, 43(4):348--356, April 1996.

[10]

M. Halkidi, Y. Batistakis, and M. Vazirgiannis. On clustering validation techniques. J. Intell. Inf. Syst., 17(2--3):107--145, Dec. 2001.

Digital Library

[11]

S. Hao, W. Wang, H. Lu, and P. Ren. Automal: automatic clustering and signature generation for malwares based on the network flow. Security and Communication Networks.

[12]

J00ru. Windows win32k.sys system call table. april 2014.

[13]

A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: A review. ACM Comput. Surv., 31(3):264--323, Sept. 1999.

Digital Library

[14]

L. Kaufman and P. J. Rousseeuw. Finding groups in data: an introduction to cluster analysis, volume 344. John Wiley & Sons, 2009.

[15]

Y.-D. Lin, T.-B. Shih, Y.-S. Wu, and Y.-C. Lai. Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment. Security and Communication Networks, 7(3):626--640, 2014.

Digital Library

[16]

H. Lu, X. Wang, B. Zhao, F. Wang, and J. Su. Endmal: An anti-obfuscation and collaborative malware detection system using syscall sequences. Mathematical and Computer Modelling, 58(5--6):1140--1154, 2013.

[17]

E. Mooi and M. Sarstedt. Cluster analysis. In A Concise Guide to Market Research, pages 237--284. Springer Berlin Heidelberg, 2011.

[18]

N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici. Detecting unknown computer worm activity via support vector machines and active learning. Pattern Analysis and Applications, 15(4):459--475, 2012.

Digital Library

[19]

Y. Park, D. S. Reeves, and M. Stamp. Deriving common malware behavior through graph clustering. Computers and Security, 39, Part B(0):419--430, 2013.

Digital Library

[20]

G. Pék, B. Bencsáth, and L. Buttyán. nether: In-guest detection of out-of-the-guest malware analyzers. In Proceedings of the Fourth European Workshop on System Security, EUROSEC '11, pages 3:1--3:6, New York, NY, USA, 2011. ACM.

Digital Library

[21]

P. Roberto, A. Davide, and G. Giorgio. Scalable fine-grained behavioral clustering of HTTP-based malware. Computer Networks, 57(2):487--500.

Digital Library

[22]

O. Sharma, M. Girolami, and J. Sventek. Detecting worm variants using machine learning. In Proceedings of the 2007 ACM CoNEXT Conference, CoNEXT '07, pages 2:1--2:12, New York, NY, USA, 2007. ACM.

Digital Library

[23]

A. Srivastava, A. Lanzi, and J. Giffin. System call api obfuscation (extended abstract). In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, RAID '08, pages 421--422, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[24]

D. Stopel, R. Moskovitch, Z. Boger, Y. Shahar, and Y. Elovici. Using artificial neural networks to detect unknown computer worms. Neural Computing and Applications, 18(7):663--674, 2009.

[25]

A. O. T, A. B. K, and G. A. J. Article: A model for computer worm detection in a computer network. International Journal of Computer Applications, 66(2):22--28, March 2013. Published by Foundation of Computer Science, New York, USA.

[26]

Y. Waizumi, M. Tsuji, H. Tsunoda, N. Ansari, and Y. Nemoto. Distributed early worm detection based on payload histograms. In Communications, 2007. ICC '07. IEEE International Conference on, pages 1404--1408, June 2007.

[27]

X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan. Detecting worms via mining dynamic program execution. In Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, pages 412--421, Sept 2007.

[28]

W. Yu, X. Wang, P. Calyam, D. Xuan, and W. Zhao. Modeling and detection of camouflaging worm. Dependable and Secure Computing, IEEE Transactions on, 8(3):377--390, May 2011.

Digital Library

[29]

W. Yu, N. Zhang, X. Fu, and W. Zhao. Self-disciplinary worms and countermeasures: Modeling and analysis. IEEE Transactions on Parallel and Distributed Systems, 21(10):1501--1514, 2010.

Digital Library

Cited By

Diab DAsSadhan BBinsalleeh HLambotharan SKyriakopoulos KGhafir I(2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2159
Kostoulas TChanel GMuszynski MLombardo PPun TChetouani MVarni GSalam HHammal ZCohn J(2015)Dynamic Time Warping of Multimodal Signals for Detecting Highlights in MoviesProceedings of the 1st Workshop on Modeling INTERPERsonal SynchrONy And infLuence10.1145/2823513.2823515(35-40)Online publication date: 13-Nov-2015
https://dl.acm.org/doi/10.1145/2823513.2823515

Index Terms

Exploring Worm Behaviors using DTW
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01

We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...
Behavior-based worm detection

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

September 2014

518 pages

ISBN:9781450330336

DOI:10.1145/2659651

Conference Chair:
Ron Poet
University of Glasgow, UK
,
Program Chair:
Raj Muttukrishnan
City University, UK

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
MNIT: Malaviya National Institute of Technology
Aksaray Univ.: Aksaray University
SICSA: The Scottish Informatics and Computer Science Alliance
University of Glasgow: University of Glasgow

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SIN '14

SIN '14: The 7th International Conference on Security of Information and Networks

September 9 - 11, 2014

Scotland, Glasgow, UK

Acceptance Rates

SIN '14 Paper Acceptance Rate 32 of 109 submissions, 29%;

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
102
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Diab DAsSadhan BBinsalleeh HLambotharan SKyriakopoulos KGhafir I(2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2159
Kostoulas TChanel GMuszynski MLombardo PPun TChetouani MVarni GSalam HHammal ZCohn J(2015)Dynamic Time Warping of Multimodal Signals for Detecting Highlights in MoviesProceedings of the 1st Workshop on Modeling INTERPERsonal SynchrONy And infLuence10.1145/2823513.2823515(35-40)Online publication date: 13-Nov-2015
https://dl.acm.org/doi/10.1145/2823513.2823515

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten