Weidong Cui
University of California, Berkeley
USA
Randy Katz
University of California, Berkeley
USA
Wai-tian Tan
Hewlett-Packard Laboratories
USA
An increasing variety of malware, such as worms, spyware and adware, threatens both personal and business computing. Remotely controlled bot networks of compromised systems are growing quickly. In this paper, we tackle the problem of automated detection of break-ins by unknown malware targeting personal computers. We observe that outbound network connections from a compromised personal computer can be classified into three categories: user intended, user unintended benign, and user unintended malicious (referred to as {\em extrusions}). We propose Break-IN DEtectoR (BINDER), a host-based system that detects break-ins by capturing such extrusions. To detect extrusions, we first assume that user intent is implied by user-driven input. BINDER infers user intent by correlating outbound network connections with user-driven input at the process level. BINDER then uses whitelisting to detect user unintended benign connections generated by system daemons. Thus BINDER can detect a large class of malware such as worms, spyware and adware that (1) run as background processes, (2) do not receive any user-driven input, (3) and make outbound network connections. We implemented a prototype of BINDER on Windows 2000/XP. This prototype demonstrates the feasibility and effectiveness of BINDER. We evaluated it on six computers used by different volunteers for their daily work over five weeks. Our limited user study indicates that BINDER limits the number of false alarms to at most five over four weeks on each computer and the false positive rate is less than $0.03\%$. To evaluate BINDER's capability of detecting break-ins, we built a controlled testbed using the Click modular router and VMWare Workstation. We tested BINDER with the Blaster worm and $22$ different email worms collected on a departmental email server over one week and showed that BINDER successfully detect break-ins caused by all these worms. We also discuss techniques attackers could use to evade BINDER.
Keywords: Intrusion Detection, User Intent