Detection Of Unknown Computer Worms Based On The Computer Behavior Using Machine Learning

With the growing popularity of attacks on the Internet and network with constantly changing technology, network worms will become one of the greatest security threats of the network system in future. Through self-replication and dissemination, network worms can attack the operating system of computer or specific security bugs, thus acquiring part or all of the computer's control. The most extensive solutions to protect the security of the computer, such as antivirus software, are based on the basic information of worms to prevent and detect network worm intrusion. As a result, when a new type of network worm appears on the internet, the anti-virus software will update information with inevitable delays. As the world's information and networking rapidly growing, in a short time the worm will cause enormous harm.To make up for this delay of the common solution to computer worms, machine learning theory was more and more wildly used to detect unknown malicious code in the study. The theory established a classification model and generated decision rules based on the known characteristics of malicious code generated decision rules in order to detect unknown computer worms. This initiative detection system can avoid the delay in updating the worm information, timely alarm early warning on network, and greatly reduces the losses caused by malicious code.Comparing to the common anti-virus tools, we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors, rather than recognizing specific instances of worms. We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features. In the experiment, Bayesian Network theorem was applied on the several feature subsets to deduce the rule. We performed several experiments to evaluate the detection system, focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses. The average accuracy we achieved was above 82% for unknown worms sample and for known worms even above 98%.