Article

Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms

Authors:

David J. Malan,

Michael D. SmithAuthors Info & Claims

WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

Pages 25 - 32

https://doi.org/10.1145/1179542.1179548

Published: 03 November 2006 Publication History

Abstract

The speed of today's worms demands automated detection, but the risk of false positives poses a difficult problem. In prior work, we proposed a host-based intrusion-detection system for worms that leveraged collaboration among peers to lower its risk of false positives, and we simulated this approach for a system with two peers. In this paper, we build upon that work and evaluate our ideas ``in the wild.'' We implement Wormboy 2.0, a prototype of our vision that allows us to quantify and compare worms' and non-worms' temporal consistency, similarity over time in worms' and non-worms' invocations of system calls. We deploy our prototype to a network of 30 hosts running Windows XP with Service Pack 2 to monitor and analyze 10,776 processes, inclusive of 511 unique non-worms (873 if we consider unique versions to be unique non-worms). We identify properties with which we can distinguish non-worms from worms 99% of the time. We find that our collaborative architecture, using patterns of system calls and simple heuristics, can detect worms running on multiple peers. And we find that collaboration among peers significantly reduces our probability of false positives because of the unlikely appearance on many peers simultaneously of non-worm processes with worm-like properties.

References

[1]

Advanced Micro Devices, Inc. AMD's Virtualization Solutions. enterprise.amd.com/us-en/Solutions/Consolidation/virtualization.aspx.

[2]

E. Anderson and J. Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX, June 2004.

[3]

F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo. Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses. In Proc. of the 5th Int'l Symposium on Recent Advances in Intrusion Detection, 2002.

Digital Library

[4]

Intel Corp. Intel Virtualization Technology. www.intel.com/technology/computing/vptech/.

[5]

P. Dabak, S. Phadke, and M. Borate. Undocumented Windows NT. M&T Books, 1999.

Digital Library

[6]

D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A Behavioral Approach to Worm Wetection. In Proc. of the 2004 ACM Workshop on Rapid Malcode, pages 43--53, New York, NY, USA, 2004. ACM Press.

Digital Library

[7]

E. Eskin. Anomaly Detection over Noisy Data Using Learned Probability Distributions. In Proc. of the 17th International Conference on Machine Learning, 2000.

Digital Library

[8]

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In Proc. of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120--128. IEEE Computer Society Press, 1996.

Digital Library

[9]

Grisoft Inc. www.grisoft.com.

[10]

J. Gulbrandsen. How Do Windows NT System Calls REALLY Work? www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8035/, August 2004.

[11]

J. Gulbrandsen. System Call Optimization with the SYSENTER Instruction. www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8223/, October 2004.

[12]

J. Harris. YAC: Yet Another Caller ID Program. sunflowerhead.com/software/yac/.

[13]

B. Henderson. XML-RPC for C and C++. xmlrpc-c.sourceforge.net.

[14]

N. P. Herath. Adding Services To The NT Kernel. microsoft.public.win32.programmer.kernel, October 1998.

[15]

S. A. Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security. PhD thesis, 1999.

Digital Library

[16]

S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 6(3):151--180, 1998.

Digital Library

[17]

R. Hu and A. K. Mok. Detecting Unknown Massive Mailing Viruses Using Proactive Methods. In Proc. of the 7th Int'l Symposium on Recent Advances in Intrusion Detection, 2004.

[18]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proc. of the IEEE Symposium on Security and Privacy, May 2004.

[19]

H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symposium, pages 271--286, 2004.

Digital Library

[20]

W. Lee, S. J. Stolfo, and P. K. Chan. Learning Patterns from Unix Process Execution Traces for Intrusion Detection, pages 50--56. AAAI Press, 1997.

[21]

D. J. Malan and M. D. Smith. Host-Based Detection of Worms through Peer-to-Peer Cooperation. In Proc. of the 2005 ACM Workshop on Rapid Malcode, New York, NY, USA, 2005. ACM Press.

Digital Library

[22]

McAfee, Inc. www.mcafee.com.

[23]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33--39, 2003.

Digital Library

[24]

G. Nebbett. Windows NT/2000 Native API Reference. MTP, 2000.

Digital Library

[25]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium, 2005.

Digital Library

[26]

PC World Communications, Inc. WorldBench 5. www.worldbench.com.

[27]

M. Pietrek. Poking Around Under the Hood: A Programmer's View of Windows NT 4.0. Microsoft Systems Journal, August 1996. www.microsoft.com/msj/archive/s413.aspx.

[28]

The Metasploit Project. Windows System Call Table (NT/2000/XP/2003). www.metasploit.com/users/opcode/syscalls.html.

[29]

N. Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium, pages 257--272, 2003.

Digital Library

[30]

T. J. Robbins. Windows NT System Service Table Hooking. www.wiretapped.net/~fyre/sst.html.

[31]

P. Roberts. Mydoom Sets Speed Records. www.pcworld.com/news/article/0,aid,114461,00.asp.

[32]

M. Russinovich. Inside the Native API. www.sysinternals.com/Information/NativeApi.html, 1998.

[33]

T. Sabin. Personal correspondence.

[34]

T. Sabin. Strace for NT. www.bindview.com/Services/RAZOR/Utilities/Windows/strace_readme.cfm.

[35]

Sana Security, Inc. www.sanasecurity.com.

[36]

S. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In 7th Int'l Symposium on Recent Advances in Intrusion Detection, French Riviera, France, September 2004.

[37]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In OSDI, pages 45--60, 2004.

Digital Library

[38]

V. Smirnov. Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List, April 2002.

[39]

A. Somayaji and S. Forrest. Automated Response Using System-Call Delays. In Proc. of the 9th USENIX Security Symposium, August 2000.

Digital Library

[40]

A. B. Somayaji. Operating System Stability and Security through Process Homeostasis. PhD thesis, 2002.

Digital Library

[41]

S. Staniford, D. Moore, V. Paxson, and N. Weaver The Top Speed of Flash Worms. In Proc. of the 2004 ACM Workshop on Rapid Malcode, pages 33--42, New York, NY, USA, 2004. ACM Press.

Digital Library

[42]

S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. In Proc. of the 11th USENIX Security Symposium, August 2002.

Digital Library

[43]

S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, volume~13 of Journal of Computer Security, pages 659--693. 2005.

Digital Library

[44]

Symantec Corporation. www.symantec.com.

[45]

B. Tucker. SoBig.F breaks virus speed records. www.cnn.com/2003/TECH/internet/08/21/sobig.virus/.

[46]

J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In USENIX Security Symposium, pages 285--294, 2003.

Digital Library

[47]

UserLand Software, Inc. XML-RPC Home Page. www.xmlrpc.com.

[48]

N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium, pages 29--44, 2004.

Digital Library

[49]

M. M. Williamson. Throttling Viruses: Restricting propagation to defeat malicious mobile code. Technical Report HPL-2002-172R1, HP Labs, December 2002.

Digital Library

Cited By

Tahir RCaesar MRaza ANaqvi MZaffar F(2017)An Anomaly Detection Fabric for Clouds Based on Collaborative VM CommunitiesProceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing10.1109/CCGRID.2017.61(431-441)Online publication date: 14-May-2017
https://dl.acm.org/doi/10.1109/CCGRID.2017.61
Radhakrishna VKumar PJanaki VAljawarneh SAl-Shargabi B(2015)A Temporal Pattern Mining Based Approach for Intrusion Detection Using Similarity MeasureProceedings of the The International Conference on Engineering & MIS 201510.1145/2832987.2833077(1-8)Online publication date: 24-Sep-2015
https://dl.acm.org/doi/10.1145/2832987.2833077
Tariq DBaig BGehani AMahmood STahir RAqil AZaffar FChu WWong WPalakal MHung C(2011)Identifying the provenance of correlated anomaliesProceedings of the 2011 ACM Symposium on Applied Computing10.1145/1982185.1982236(224-229)Online publication date: 21-Mar-2011
https://dl.acm.org/doi/10.1145/1982185.1982236
Show More Cited By

Index Terms

Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Host-based detection of worms through peer-to-peer cooperation
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peer-to-peer cooperation. We view correlation among otherwise independent peers' behavior as anomalous behavior, indication of a fast-...
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

We examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
Using Attack Information to Reduce False Positives in Network IDS
ISCC '06: Proceedings of the 11th IEEE Symposium on Computers and Communications

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce false positives, a network administrator must throughly investigate a lengthy list of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

November 2006

88 pages

ISBN:1595935517

DOI:10.1145/1179542

Program Chair:
Farnam Jahanian
University of Michigan

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

November 3, 2006

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
548
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tahir RCaesar MRaza ANaqvi MZaffar F(2017)An Anomaly Detection Fabric for Clouds Based on Collaborative VM CommunitiesProceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing10.1109/CCGRID.2017.61(431-441)Online publication date: 14-May-2017
https://dl.acm.org/doi/10.1109/CCGRID.2017.61
Radhakrishna VKumar PJanaki VAljawarneh SAl-Shargabi B(2015)A Temporal Pattern Mining Based Approach for Intrusion Detection Using Similarity MeasureProceedings of the The International Conference on Engineering & MIS 201510.1145/2832987.2833077(1-8)Online publication date: 24-Sep-2015
https://dl.acm.org/doi/10.1145/2832987.2833077
Tariq DBaig BGehani AMahmood STahir RAqil AZaffar FChu WWong WPalakal MHung C(2011)Identifying the provenance of correlated anomaliesProceedings of the 2011 ACM Symposium on Applied Computing10.1145/1982185.1982236(224-229)Online publication date: 21-Mar-2011
https://dl.acm.org/doi/10.1145/1982185.1982236
Oliner AKulkarni AAiken A(2010)Community epidemic detection using time-correlated anomaliesProceedings of the 13th international conference on Recent advances in intrusion detection10.5555/1894166.1894191(360-381)Online publication date: 15-Sep-2010
https://dl.acm.org/doi/10.5555/1894166.1894191
Gehani ABaig BMahmood STariq DZaffar F(2010)Fine-grained tracking of Grid infections2010 11th IEEE/ACM International Conference on Grid Computing10.1109/GRID.2010.5697969(73-80)Online publication date: Oct-2010
https://doi.org/10.1109/GRID.2010.5697969
Oliner AKulkarni AAiken A(2010)Community Epidemic Detection Using Time-Correlated AnomaliesRecent Advances in Intrusion Detection10.1007/978-3-642-15512-3_19(360-381)Online publication date: 2010
https://doi.org/10.1007/978-3-642-15512-3_19

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten