RevMatch: An efficient and robust decision model for collaborative malware detection

Fung, Carol; Lam, D. Y.; Boutaba, Raouf

doi:10.1109/noms.2014.6838251

Cited by 16 publications

(12 citation statements)

References 11 publications

(14 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The studies [48][49][50] utilized software and resource architecture using the model-based sequence, clustering algorithm, and the Bayesian information criterion by Lamba et al [48], while S. Young and Dahnert [49] used the Bayesian belief network to propose a DevEyes Framework that has the capability to identify potential user actions, and in work [50], Clark et al focused on the identification, characterization, and modeling of unintended USB channels. White and Panda's [51] proposed criticality score is based on the content sensitivity of the data item using SVM, the naive Bayes network is used to model the user's behavior information by the client, including the called process and its corresponding threads when the user is normally working [52], and a decision model called named RevMatch is proposed [53]. RevMatch made a decision based on the history of the labeled malware detection.…”

Section: Analyzed Behaviorsmentioning

confidence: 99%

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

et al. 2020

View full text Add to dashboard Cite

Insider threat has become a widely accepted issue and one of the major challenges in cybersecurity. This phenomenon indicates that threats require special detection systems, methods, and tools, which entail the ability to facilitate accurate and fast detection of a malicious insider. Several studies on insider threat detection and related areas in dealing with this issue have been proposed. Various studies aimed to deepen the conceptual understanding of insider threats. However, there are many limitations, such as a lack of real cases, biases in making conclusions, which are a major concern and remain unclear, and the lack of a study that surveys insider threats from many different perspectives and focuses on the theoretical, technical, and statistical aspects of insider threats. The survey aims to present a taxonomy of contemporary insider types, access, level, motivation, insider profiling, effect security property, and methods used by attackers to conduct attacks and a review of notable recent works on insider threat detection, which covers the analyzed behaviors, machine-learning techniques, dataset, detection methodology, and evaluation metrics. Several real cases of insider threats have been analyzed to provide statistical information about insiders. In addition, this survey highlights the challenges faced by other researchers and provides recommendations to minimize obstacles.

show abstract

Section: Analyzed Behaviorsmentioning

confidence: 99%

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Whereas in our context, IDSs may not be involved in all intrusion detections and the collected responses may come each time from different groups of IDSs. In the work of RevMatch [4], a machine learning approach is used to make collaborative decision. However, this only works for a centralized collaboration model.…”

Section: Related Workmentioning

confidence: 99%

“…Although most IDSs adopt both technologies to have enhanced detection capability, their detection capability is limited by the amount of knowledge their security vendors have, such as the coverage of signature database. Research [4] shows that a single Antivirus vendor has very limited detection rate (up to 60% for newer malware) and collaborative detection can improve the detection rate significantly. Through collaboration, IDSs can utilize the expertise from various vendors to improve the coverage of known attacks.…”

Section: Introductionmentioning

confidence: 99%

FACID: A trust-based collaborative decision framework for intrusion detection networks

Fung

Zhu

2016

Ad Hoc Networks

Self Cite

View full text Add to dashboard Cite

Computer systems evolve to be more complex and vulnerable. Cyber attacks have also grown to be more sophisticated and harder to detect. Intrusion detection is the process of monitoring and identifying unauthorized system access or manipulation. It becomes increasingly difficult for a single intrusion detection system (IDS) to detect all attacks due to limited knowledge about attacks. Collaboration among intrusion detection devices can be used to gain higher detection accuracy and cost efficiency as compared to its traditional single host-based counterpart. Through cooperation, a local IDS can detect new attacks that may be known to other IDSs, which may be from different vendors. However, how to utilize the diagnosis from different IDSs to perform intrusion detection is the key challenge. This paper proposes a system architecture of a collaborative intrusion detection network (CIDN), in which trustworthy and efficient feedback aggregation is a key component. To achieve a reliable and trustworthy CIDN, we present a framework called FACID, which leverages data analytical models and hypothesis testing methods for efficient, distributed and sequential feedback aggregations. FACID provides an inherent trust evaluation mechanism and reduces communication overhead needed for IDSs as well as the computational resources and memory needed to achieve satisfactory feedback aggregation results when the number of collaborators of an IDS is large. Our simulation results corroborate our theoretical results and demonstrate the properties of cost efficiency and accuracy compared to other heuristic methods. The analytical result on the lower-bound of the average number of acquaintances for consultation is essential for the design and configuration of IDSs in a collaborative environment.

show abstract

“…To tackle the above-mentioned challenges, the computer security researchers have shifted to collaborative approaches [8], [12]- [14], whose main goal is to make different Anti-Virus (AV) tools collaborate and federate their efforts in order to increase the overall detection accuracy, and decrease the required time to feed the viral database with malware signatures. Indeed, collaboration allows, on one hand, to reduce the false positives that are produced when AV tools are not assisted by other sources confirming the alerts about a specific file.…”

Section: Introductionmentioning

confidence: 99%

MACoMal: A Multi-Agent Based Collaborative Mechanism for Anti-Malware Assistance

Belaoued¹,

Derhab

Mazouzi

et al. 2020

IEEE Access

View full text Add to dashboard Cite

Anti-malware tools remain the primary line of defense against malicious software. There is a wide variety of commercial anti-malware tools in the IT security market. However, no single tool is able to provide a full protection against the overwhelming number of daily released malware. Hence, collaboration among malware detection tools is of paramount importance. In this paper, we propose MACoMal, a multiagent based decision mechanism, which assists heterogeneous anti-malware tools to collaborate with each other in order to reach a consensual decision about the maliciousness of a suspicious file. MACoMal consists of two main elements: (1) an executable file identification model, and (2) a collaborative decision-making scheme. MACoMal is analyzed with respect to network connectivity and global decision correctness. By leveraging a multi-agent simulation tool and a set of real malware samples, we present a simulation methodology to assess its effectiveness and efficiency. Experimental results show that MACoMal is able to immunize a network against a malware threat within a time that ranges from a few seconds to a few minutes after the threat detection.

show abstract

RevMatch: An efficient and robust decision model for collaborative malware detection

Cited by 16 publications

References 11 publications

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

FACID: A trust-based collaborative decision framework for intrusion detection networks

MACoMal: A Multi-Agent Based Collaborative Mechanism for Anti-Malware Assistance

Contact Info

Product

Resources

About