An internet worm detector for personal computers

Abstract

Personal computers are normally operated by one user at a time to perform such general purpose tasks as word processing, Internet browsing, e-mail and other personal usages. Combined with the great capabilities of hardware and software technologies, the power of personal computers has radically increased. Frequency of attacks on Microsoft Windows and resulting damage continue to grow as Windows become widespread. Unfortunately existing signature-based worm detection techniques are inadequate in providing reasonable degree of PC secure protection.Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers.Firstly we have studied the behaviors of benign applications and Internet worms and analyzed the apparent characteristics which are highly effective enough to differentiate between normal applications and Internet worms. We have developed simple and easy linear classifier to detect Internet worm based on the combination of user-activity and system-event temporal gap, network outreach diversity, and port access activity level. An experimentation involving blind users was conducted and the performance of methodology was analyzed based on a simple linear classification. Even if the anomaly detection approach is too simple and naive to be practical for deploying real PC environment, it is highly likely helpful to understand that the basic 4 worm detection attributes are good enough to differentiate between normal applications and Internet worms, and how these attributes impact to worm detection framework.We introduce the correlation of basic 4 detection attributes...