BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection
- G. Gu, R. Perdisci, Junjie Zhang, Wenke Lee
- Computer ScienceUSENIX Security Symposium
- 28 July 2008
This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).
A data mining framework for building intrusion detection models
- Wenke Lee, S. Stolfo, K. Mok
- Computer ScienceProceedings of the IEEE Symposium on Security…
- 14 May 1999
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.
Ether: malware analysis via hardware virtualization extensions
- Artem Dinaburg, P. Royal, Monirul I. Sharif, Wenke Lee
- Computer ScienceConference on Computer and Communications…
- 27 October 2008
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
- G. Gu, Junjie Zhang, Wenke Lee
- Computer ScienceNetwork and Distributed System Security Symposium
- 2008
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
- G. Gu, Phillip A. Porras, V. Yegneswaran, Martin W. Fong, Wenke Lee
- Computer ScienceUSENIX Security Symposium
- 6 August 2007
A new kind of network perimeter monitoring strategy, which focuses on recognizing the infection and coordination dialog that occurs during a successful malware infection, and contrast this strategy to other intrusion detection and alert correlation methods.
CHEX: statically vetting Android apps for component hijacking vulnerabilities
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, G. Jiang
- Computer ScienceConference on Computer and Communications…
- 16 October 2012
This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode.
A framework for constructing features and models for intrusion detection systems
A novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion Detection, which uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns.
From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware
- M. Antonakakis, R. Perdisci, D. Dagon
- Computer ScienceUSENIX Security Symposium
- 8 August 2012
A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
Data Mining Approaches for Intrusion Detection
An agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents is proposed.
Building a Dynamic Reputation System for DNS
- M. Antonakakis, R. Perdisci, D. Dagon, Wenke Lee, N. Feamster
- Computer ScienceUSENIX Security Symposium
- 11 August 2010
Notos, a dynamic reputation system for DNS, is proposed that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services.
...
...