A Behavior Approach to Instant Messaging Worm Detection

Abstract

In this paper, we present a behavior approach to detect Instant Messaging (IM) worm attacks. We extract characteristics of IM worm behaviors by analyzing the mechanism of IM worm propagation and define the corresponding characteristic functions the values of which can distinguish IM worm behaviors from normal user behaviors. Our approach starts to work through two stages. First stage, the training stage, we learn the means and deviations of characteristic functions from a profile. Second stage, the detection stage, simplified Mahalanobis distance is utilized to calculate the similarity of new data against the pre-computed profile. To make the detection mechanism insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method is applied to this measure and generates an alert when the distance of the new input exceeds the allowable distance the algorithm set. As a result, IM worms can be detected in a fully automatic and very efficient fashion.The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Keywordsinstant messaging worms; simplified mahalanobis distance; non-parametric cumulative sum (CUSUM) method