Ismahani Ismail

Detecting Worms Using Data Mining Techniques: Learning in the Presence of Class Noise

Worms are self-contained programs that spread over the Internet. Worms cause problems such as lost of information, information theft and denial-of-service attacks. The first part of the paper evaluates the detection of worms based on content classification by using all machine learning techniques available in WEKA data mining tools. Four most accurate and quite fast classifiers are identified for further analysis–Naive Bayes, J48, SMO and Winnow. Results show that classification using machine learning techniques could classify worms to 99% accuracy. From the accuracy perspective, J48 performs better than other algorithms meanwhile Naive Bayes and Winnow show the best performances in terms of speed. The second part of the paper analyzes the accuracy these four classifiers under the presence of class noise in learning corpora. By injecting class noise ranging between 0% and 50% into positive and negative corpora, results from the simulation show gradual decrease in accuracy and increase in false positive and false negative for all analyzed techniques. The presence of the classes noise affects false positive more significantly compared to false negative. The results show that worm detection with classification algorithms could not tolerate the presence of classes noise in learning corpora.

Stateless malware packet detection by incorporating naive bayes with known malware signatures

Malware detection done at the network infrastructure level is still an open research problem ,considering the evolution of malwares and high detection accuracy needed to detect these threats. Content based classification techniques have been proven capable of detecting malware without matching for malware signatures. However, the performance of the classification techniques depends on observed training samples. In this paper, a new detection method that incorporates Snort malware signatures into Naive Bayes model training is proposed. Through experimental work, we prove that the proposed work results in low features search space for effective detection at the packet level. This paper also demonstrates the viability of detecting malware at the stateless level (using packets) as well as at the stateful level (using TCP byte stream). The result shows that it is feasible to detect malware at the stateless level with similar accuracy to the stateful level, thus requiring minimal resource for implementation on middleboxes. Stateless detection can give a better protection to end users by detecting malware on middleboxes without having to reconstruct stateful sessions and before malwares reach the end users.

Cooperative learning for online in-network performance monitoring

Motivated by the principles of decentralized in-network management (INM) for future networks, we consider the issue of information exchange among network nodes to improve network performance and scalability. INM concept gives autonomy to each network node to self-govern its behavior and participate in a distributed management in collaboration with the nodes to analyze and manage network resources. However, to ensure this interaction, exchange of network information is imperative. In this paper, we propose a cooperative learning algorithm for propagation and synchronization of network information among network nodes for online traffic classification. The results show that network nodes with sharing capability perform better with a higher average accuracy of around 6% on both Cambridge and UNIBS datasets compared to nodes without cooperative learning capability.

Multi-stage Feature Selection for On-Line Flow Peer-to-Peer Traffic Identification

Classification of bandwidth-heavy Internet traffic is important for network administrators to throttle network of heavy-bandwidth applications traffic. Statistical methods have been previously proposed as promising method to identify Internet traffic based on packet statistical features. The selection of statistical features still plays an important role for accurate and timely classification. In this work, we propose an approach based on feature selection methods and analytic methods (scatter, one-way analysis of variance) in order to provide optimal features for on-line P2P traffic detection. Feature selection algorithms and machine learning algorithms were implemented using WEKA tool for available traces from University of Brescia, University of Aalborg and University of Cambridge. Experimental results show that the proposed method is able to achieve up to 99.5% accuracy with just six on-line statistical features. These results perform better than other existing approaches in term of accuracy and the number of features.

Cooperative Learning for Distributed In-Network Traffic Classification

Inspired by the concept of autonomic distributed/decentralized network management schemes, we consider the issue of information exchange among distributed network nodes to network performance and promote scalability for in-network monitoring. In this paper, we propose a cooperative learning algorithm for propagation and synchronization of network information among autonomic distributed network nodes for online traffic classification. The results show that network nodes with sharing capability perform better with a higher average accuracy of 89.21% (sharing data) and 88.37% (sharing clusters) compared to 88.06% for nodes without cooperative learning capability. The overall performance indicates that cooperative learning is promising for distributed in-network traffic classification.

Incorporating known malware signatures to classify new malware variants in network traffic

Summary Content-based malware classification technique using n-gram features required high computational overhead because of the size of feature space. This paper proposes the augmentation of domain knowledge in the form of known Snort malware signatures to machine learning techniques to reduce resources (in terms of the time to generate machine learning model and the memory usage to store generative model). Although current malware can be encrypted or mutated, these malware still exhibit prevalent contents or payloads as their predecessors. Using a dataset of traffic captured from a campus network, our approach is able to reduce initial generated million n-gram features to only around 90000 features, which significantly reduces processing time to generate naive Bayes model by 95%. The generated model that has been trained by the most descriptive features (4-gram Snort signatures with high information gain) produces lower false negative, about 2% compared with other models. Moreover, the proposed method is capable of detecting 10 new malware variants with 0% false negative. The findings from this paper can be the basis for improving malware classification based on content classification to detect known and new malware. Copyright

Malware detection using augmented naive Bayes with domain knowledge and under presence of class noise

Malicious software (malware) attacks on the internet are on the rise in frequency and sophistication. Malware detection based on its content can detect malware more accurate because it relies on screening the payload for known malware signatures. New malware variants still exhibit prevalent contents that can be detected by looking at fixed substrings especially when using n-grams and machine learning technique. This paper focuses on detecting malware based on content classification technique that is augmented with domain knowledge (Snort signatures) to abridge features set and improve detection accuracy. Using 15 days dataset, the generated naive Bayes model with domain knowledge using the most descriptive 91,127 features shows the lowest false negative (around 2%). However, the presence of class noise has a significant impact on the results, even for machine learning technique augmented with domain knowledge.

New protocol stack for multimedia communication

We propose a new protocol stack for multimedia data communications. It consists of the ST-II protocol at the network layer and a modified version of the XTP protocol called XTP-Lite at the transport layer. The specific features of the protocol stack are presented and the implementation in a SUN environment is introduced. Related performance measurements are also given to support the conclusions.