Active learning to improve the detection of unknown computer worms activity

Robert Moskovitch; Nir Nissim; Roman Englert; Yuval Elovici

doi:10.1109/ICIF.2008.4632425

Active learning to improve the detection of unknown computer worms activity

Robert Moskovitch, Nir Nissim, Roman Englert, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

4 Scopus citations

Abstract

Detecting unknown worms is a challenging task. We propose an innovative technique for detecting the presence of an unknown worm based on the computer measurements extracted from the operating system. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection measures were used to reduce the number of features. We applied support vector machines on the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in noisy data. Our results indicate that using the proposed approach resulted in a mean accuracy in excess of 90%, and for specific unknown worms accuracy reached above 94%, using just 20 features while maintaining a low false positive rate.

Original language	English
Title of host publication	Proceedings of the 11th International Conference on Information Fusion, FUSION 2008
DOIs	https://doi.org/10.1109/ICIF.2008.4632425
State	Published - 1 Dec 2008
Event	11th International Conference on Information Fusion, FUSION 2008 - Cologne, Germany Duration: 30 Jun 2008 → 3 Jul 2008

Publication series

Name	Proceedings of the 11th International Conference on Information Fusion, FUSION 2008

Conference

Conference	11th International Conference on Information Fusion, FUSION 2008
Country/Territory	Germany
City	Cologne
Period	30/06/08 → 3/07/08

Keywords

Active learning
Classification
Malcode detection
Support vector machines

ASJC Scopus subject areas

Computational Theory and Mathematics
Computer Science Applications
Information Systems

Access to Document

10.1109/ICIF.2008.4632425

Cite this

Moskovitch, R., Nissim, N., Englert, R., & Elovici, Y. (2008). Active learning to improve the detection of unknown computer worms activity. In Proceedings of the 11th International Conference on Information Fusion, FUSION 2008 Article 4632425 (Proceedings of the 11th International Conference on Information Fusion, FUSION 2008). https://doi.org/10.1109/ICIF.2008.4632425

@inproceedings{9389179a8d8e4954b775e06dcbdea29e,

title = "Active learning to improve the detection of unknown computer worms activity",

abstract = "Detecting unknown worms is a challenging task. We propose an innovative technique for detecting the presence of an unknown worm based on the computer measurements extracted from the operating system. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection measures were used to reduce the number of features. We applied support vector machines on the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in noisy data. Our results indicate that using the proposed approach resulted in a mean accuracy in excess of 90%, and for specific unknown worms accuracy reached above 94%, using just 20 features while maintaining a low false positive rate.",

keywords = "Active learning, Classification, Malcode detection, Support vector machines",

author = "Robert Moskovitch and Nir Nissim and Roman Englert and Yuval Elovici",

year = "2008",

month = dec,

day = "1",

doi = "10.1109/ICIF.2008.4632425",

language = "English",

isbn = "9783000248832",

series = "Proceedings of the 11th International Conference on Information Fusion, FUSION 2008",

booktitle = "Proceedings of the 11th International Conference on Information Fusion, FUSION 2008",

note = "11th International Conference on Information Fusion, FUSION 2008 ; Conference date: 30-06-2008 Through 03-07-2008",

}

Moskovitch, R , Nissim, N, Englert, R & Elovici, Y 2008, Active learning to improve the detection of unknown computer worms activity. in Proceedings of the 11th International Conference on Information Fusion, FUSION 2008., 4632425, Proceedings of the 11th International Conference on Information Fusion, FUSION 2008, 11th International Conference on Information Fusion, FUSION 2008, Cologne, Germany, 30/06/08. https://doi.org/10.1109/ICIF.2008.4632425

Active learning to improve the detection of unknown computer worms activity. / Moskovitch, Robert ; Nissim, Nir; Englert, Roman et al.
Proceedings of the 11th International Conference on Information Fusion, FUSION 2008. 2008. 4632425 (Proceedings of the 11th International Conference on Information Fusion, FUSION 2008).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Active learning to improve the detection of unknown computer worms activity

AU - Moskovitch, Robert

AU - Nissim, Nir

AU - Englert, Roman

AU - Elovici, Yuval

PY - 2008/12/1

Y1 - 2008/12/1

N2 - Detecting unknown worms is a challenging task. We propose an innovative technique for detecting the presence of an unknown worm based on the computer measurements extracted from the operating system. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection measures were used to reduce the number of features. We applied support vector machines on the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in noisy data. Our results indicate that using the proposed approach resulted in a mean accuracy in excess of 90%, and for specific unknown worms accuracy reached above 94%, using just 20 features while maintaining a low false positive rate.

AB - Detecting unknown worms is a challenging task. We propose an innovative technique for detecting the presence of an unknown worm based on the computer measurements extracted from the operating system. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection measures were used to reduce the number of features. We applied support vector machines on the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in noisy data. Our results indicate that using the proposed approach resulted in a mean accuracy in excess of 90%, and for specific unknown worms accuracy reached above 94%, using just 20 features while maintaining a low false positive rate.

KW - Active learning

KW - Classification

KW - Malcode detection

KW - Support vector machines

UR - http://www.scopus.com/inward/record.url?scp=56749167856&partnerID=8YFLogxK

U2 - 10.1109/ICIF.2008.4632425

DO - 10.1109/ICIF.2008.4632425

M3 - Conference contribution

AN - SCOPUS:56749167856

SN - 9783000248832

T3 - Proceedings of the 11th International Conference on Information Fusion, FUSION 2008

BT - Proceedings of the 11th International Conference on Information Fusion, FUSION 2008

T2 - 11th International Conference on Information Fusion, FUSION 2008

Y2 - 30 June 2008 through 3 July 2008

ER -

Active learning to improve the detection of unknown computer worms activity

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this