Detecting unknown computer worm activity via support vector machines and active learning |
| |
| Authors: | Nir Nissim Robert Moskovitch Lior Rokach Yuval Elovici |
| |
| Affiliation: | 1. Department of Information Systems Engineering, Ben Gurion University of the Negev, P.O.B. 653, 84105, Beer-Sheva, Israel
2. Deutsche Telekom Laboratories, Ben Gurion University, Beer-Sheva, Israel
|
| |
| Abstract: | To detect the presence of unknown worms, we propose a technique based on computer measurements extracted from the operating system. We designed a series of experiments to test the new technique by employing several computer configurations and background application activities. In the course of the experiments, 323 computer features were monitored. Four feature-ranking measures were used to reduce the number of features required for classification. We applied support vector machines to the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in the presence of misleading instances in the data. Our results indicate a mean detection accuracy in excess of 90?%, and an accuracy above 94?% for specific unknown worms using just 20 features, while maintaining a low false-positive rate when the active learning approach is applied. |
| |
| Keywords: | |
| 本文献已被 SpringerLink 等数据库收录! |
|
