Information Technology Reference
In-Depth Information
Table 3. Markov model detection performance with different transition matrices
P1 P2 P3
False negatives 0 0 0
False positives 33540 2540 13
learned transition matrix from normal trac, P2 denotes the case of a manually
manipulated transition matrix and P3 is the GA optimized transition matrix.)
3
Conclusions and Outlook
In this paper we give a short overview about three approaches to apply data
mining techniques in the field of polymorphic code detection. The main idea was
to find the most promising candidates which can be trained automatically. We
think that commercial detection mechanisms can only be successful if they are
based on automatic training mechanisms and do not require human interactions.
We analyzed the concepts of NNs, SOMs, and FMCs by implementing
SNORT TM -plugins or simple Matlab TM
simulations - but always in combina-
tion with real network trac.
The main difference between our approach and other solutions (found in
the literature) is the exclusive use of payload information without any use of
additional information (header information for instance).
In comparison, the NN-based approach showed very good results together
with the most flexibility in detecting unknown shellcode. On the other hand, the
Markov chain approach has the advantage of keeping the sequence information
of the data. Our result can only be seen as a first glimpse on data mining
techniques in malicious code detection. Clearly, the list of remaining tasks seems
to be endless. Complexity-based comparison of proposed mechanisms and the
search for possible new candidates are heading the list.
References
1. AlephOne: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)
2. Biles, S.: Detecting the Unknown with Snort and the Statistical Packet Anomaly
Detection Engine ( SPADE ).
http://www.computersecurityonline.com/spade/SPADE.pdf retrieved on (2005)
3. Bishop, C.M.: Neural networks for pattern recognition. The Clarendon Press
Oxford University Press, New York. With a foreword by Geoffrey Hinton (1995)
4. CLET team: Polymorphic shellcode engine. Phrack Magazine 61(9) (2003)
5. Duda, R., Hart, P., Stork, D.: Pattern classification. Wiley-Interscience, New York,
second edition (2001)
6. Helsinki University of Technology. Som toolbox for matlab. http://www.cis.hut.fi/
projects/somtoolbox/ (2005)
7. K2. Admutate 0.8.4. http://www.ktwo.ca. Retrieved (2004)
8. Kohonen, T.: Self-Organizing Maps. Springer (2001)
Search WWH ::




Custom Search