Paper Info
Title
Worm Detection At Network Endpoints Using Information-Theoretic Traffic Perturbations
Abstract
In this paper, we propose an endpoint-based anomaly detection scheme that detects computer worms by comparing the current traffic patterns of each host to the corresponding benign traffic profile of the host. To detect deviations in the traffic patterns, we employ the information-theoretic Kullback-Leibier (K-L) divergence measure which estimates the distance between the distribution of source/destination ports engaged in current communication and that observed in the legitimate host traffic collected earlier. We use a small subset of traces obtained from endpoints in home, university, and office environments to build benign traffic profiles of studied endpoints. Endpoint traces are then infected with both real and simulated worms to examine the performance of our detection mechanism. To perform automated, real-time worm detection, we use Support Vector Machines (SVMs) that are trained using the K-L divergence values. Our results show that the proposed worm detector provides almost 100% detection with negligible false-alarm rates and significantly surpasses the accuracy of existing anomaly detectors.
Year
DOI
Venue
2008
10.1109/ICC.2008.302
2008 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS, PROCEEDINGS, VOLS 1-13
Keywords
Field
DocType
i. introduction,anomaly detection,statistics,false alarm rate,kullback leibler,computer networks,testing,computer worms,support vector machine,real time,computer worm,detectors,support vector machines,information theory
Information theory,Data mining,Anomaly detection,Divergence,Computer science,ALARM,Support vector machine,Computer worm,Detector,Perturbation (astronomy)
Conference
ISSN
Citations 
PageRank 
1550-3607
6
0.48
References 
Authors
10
3
Name
Order
Citations
PageRank
Syed A. Khayam115512.69
Hayder Radha21295130.74
Dmitri Loguinov3129891.08