• Publications
  • Influence
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection
TLDR
This paper presents a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C &C server names/addresses).
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
TLDR
This paper proposes an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C &C server addresses, and shows that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
A data mining framework for building intrusion detection models
TLDR
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.
CHEX: statically vetting Android apps for component hijacking vulnerabilities
TLDR
This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode.
A framework for constructing features and models for intrusion detection systems
TLDR
A novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion Detection, which uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns.
Ether: malware analysis via hardware virtualization extensions
TLDR
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.
From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware
TLDR
A new technique to detect randomly generated domains without reversing is presented, finding that most of the DGA-generated domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same bot-net (with the same DGA algorithm) would generate similar NXDomain traffic.
Building a Dynamic Reputation System for DNS
TLDR
Notos, a dynamic reputation system for DNS, is proposed that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services.
Data Mining Approaches for Intrusion Detection
TLDR
An agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents is proposed.
A cooperative intrusion detection system for ad hoc networks
TLDR
This paper investigates how to improve the anomaly detection approach to provide more details on attack types and sources and addresses the run-time resource constraint problem using a cluster-based detection scheme where periodically a node is elected as the ID agent for a cluster.
...
1
2
3
4
5
...