MAUI Project

Keio University, Graduate School of Media and Governance
MAUI Project
Ph.D. Dissertation

[ English | mizutani.html">Japanese ]
Back to Index Page

ACADEMIC YEAR 2010

NAME MIZUTANI, Masayoshi

TITLE Behavior-based Network Incident Detection with Analyzing Malware Infection Case

ABSTRACT
This research achieved a new high accuracy network security monitoring system, named ROOK, designed with usability and effectiveness in mind. The system is able to detect malware activities on a network with over 98% accuracy and an effective countermeasure against wily malware is established.
Malware authors and users have strong economic incentives to improve their ability to target users' information assets. They continuously update their malware, making it hard to create effective counter measures. Moreover they create many variants of malware and use complicated communication pattern to evade from network security monitoring.
In this research, a new network security monitoring system was implemented for gaining an overview of malware behavior and analyzing sensitive correlations of malware communications. During our collection and analysis of malware, it became clear that malware have some common activities and behavior. ROOK is able to detect security incidents by abstraction of these malware common activities and can be adapted to not only many variants of malware but also those using communication models by updating a simple rule set.
The system tries to detect two types of malware: 1) sending exploit codes to network services provided on target hosts, 2) infection when target hosts open web sites with exploit code. In the result, the system succeeded in detecting both type of malware with over 98% accuracy using only four rules, while existing IDS detected only 73.91% using a rule set of over 3,000 rules. The research established a method of countermeasure against frequently-occurring malware variants and the method minimizes damage by malware. The method will reduce cyber-criminal infrastructure and a consequent reduction of risk on the Internet is expected.
Keyword: 1. Internet. 2. Information Security. 3. Malware. 4. Intrusion Detection.

CONTACT The thesis is available online. Please contact to :
MIZUTANi, Masayoshi ( mizutani [at] sfc.wide.ad.jp )

MAUI Proejct
Last update:

Back to Project Home Page

ACADEMIC YEAR	2010
NAME	MIZUTANI, Masayoshi
TITLE	Behavior-based Network Incident Detection with Analyzing Malware Infection Case
ABSTRACT	This research achieved a new high accuracy network security monitoring system, named ROOK, designed with usability and effectiveness in mind. The system is able to detect malware activities on a network with over 98% accuracy and an effective countermeasure against wily malware is established. Malware authors and users have strong economic incentives to improve their ability to target users' information assets. They continuously update their malware, making it hard to create effective counter measures. Moreover they create many variants of malware and use complicated communication pattern to evade from network security monitoring. In this research, a new network security monitoring system was implemented for gaining an overview of malware behavior and analyzing sensitive correlations of malware communications. During our collection and analysis of malware, it became clear that malware have some common activities and behavior. ROOK is able to detect security incidents by abstraction of these malware common activities and can be adapted to not only many variants of malware but also those using communication models by updating a simple rule set. The system tries to detect two types of malware: 1) sending exploit codes to network services provided on target hosts, 2) infection when target hosts open web sites with exploit code. In the result, the system succeeded in detecting both type of malware with over 98% accuracy using only four rules, while existing IDS detected only 73.91% using a rule set of over 3,000 rules. The research established a method of countermeasure against frequently-occurring malware variants and the method minimizes damage by malware. The method will reduce cyber-criminal infrastructure and a consequent reduction of risk on the Internet is expected. Keyword: 1. Internet. 2. Information Security. 3. Malware. 4. Intrusion Detection.
CONTACT	The thesis is available online. Please contact to : MIZUTANi, Masayoshi ( mizutani [at] sfc.wide.ad.jp )

Keio University, Graduate School of Media and Governance MAUI Project Ph.D. Dissertation

Keio University, Graduate School of Media and Governance
MAUI Project
Ph.D. Dissertation