Institute of Computing Technology, Chinese Academy IR
| Causality reasoning about network events for detecting stealthy malware activities | |
| Zhang, Hao1; Yao, Danfeng (Daphne)1; Rarnakrishnan, Naren1; Zhang, Zhibin2 | |
| 2016-05-01 | |
| 发表期刊 | COMPUTERS & SECURITY
 |
| ISSN | 0167-4048 |
| 卷号 | 58页码:180-198 |
| 摘要 | Malicious software activities have become more and more clandestine, making them challenging to detect. Existing security solutions rely heavily on the recognition of known code or behavior signatures, which are incapable of detecting new maiware patterns. We propose to discover the triggering relations on network requests and leverage the structural information to identify stealthy malware activities that cannot be attributed to a legitimate cause. The triggering relation is defined as the temporal and causal, relationship between two events. We design and compare rule- and learning-based methods to infer the triggering relations on network data. We further introduce a user-intention based security policy for pinpointing stealthy malware activities based on a triggering relation graph. We extensively evaluate our solution on a DARPA dataset and 7 GB real-world network traffic. Results indicate that our dependence analysis successfully detects various maiware activities including spyware, data exfiltrating malware, and DNS bots on hosts. With good scalability for large datasets, the learning-based method achieves better classification accuracy than the rule-based one. The significance of our traffic reasoning approach is its ability to detect new and stealthy malware activities. (C) 2016 The Authors. Published by Elsevier Ltd. |
| 关键词 | Network security Anomaly detection Stealthy maiware Traffic analysis Dependence analysis Machine learning classification |
| DOI | 10.1016/j.cose.2016.01.002 |
| 收录类别 | SCI |
| 语种 | 英语 |
| 资助项目 | NSF[CAREER CNS-0953638] ; NSF[ARO YIP W911NF-14-1-0535] ; L-3 communications |
| WOS研究方向 | Computer Science |
| WOS类目 | Computer Science, Information Systems |
| WOS记录号 | WOS:000372764600012 |
| 出版者 | ELSEVIER ADVANCED TECHNOLOGY |
| 引用统计 | |
| 文献类型 | 期刊论文 |
| 条目标识符 | http://119.78.100.204/handle/2XEOYT63/8417 |
| 专题 | 中国科学院计算技术研究所期刊论文_英文 |
| 通讯作者 | Yao, Danfeng (Daphne) |
| 作者单位 | 1.Virginia Tech, Dept Comp Sci, Blacksburg, VA USA 2.Chinese Acad Sci, Inst Comp Technol, Beijing, Peoples R China |
| 推荐引用方式 GB/T 7714 | Zhang, Hao,Yao, Danfeng ,Rarnakrishnan, Naren,et al. Causality reasoning about network events for detecting stealthy malware activities[J]. COMPUTERS & SECURITY,2016,58:180-198. |
| APA | Zhang, Hao,Yao, Danfeng ,Rarnakrishnan, Naren,&Zhang, Zhibin.(2016).Causality reasoning about network events for detecting stealthy malware activities.COMPUTERS & SECURITY,58,180-198. |
| MLA | Zhang, Hao,et al."Causality reasoning about network events for detecting stealthy malware activities".COMPUTERS & SECURITY 58(2016):180-198. |
| 条目包含的文件 | 条目无相关文件。 | |||||
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论