Detecting malicious computer use

Abstract

In today's world, many personal devices are continuously connected to the Internet. This carries risks with it, because malware (malicious software) can infect these devices with varying degrees of effects, from rendering the device useless to stealing personal data. It is desirable to have a generic system which can detect all types of malicious activity on personal devices. This project aims at researching and adapting Intrusion Detection Systems (IDSs) for personal devices. Two types of IDSs exist: signature-based and anomaly-based. Anomaly-based IDSs detect abnormal behaviour and assume it is malicious, while signature-based IDSs have a set of rules which model how known malware behaves. Since the final system needs to detect any kind of malware, anomaly-based systems are researched. The system also needs to work on different kinds of devices. One thing these devices have in common is that they are connected to the Internet, which means that network packets will be transferred to and from the devices. These packets can be analysed to detect any anomalies. The system that is adapted is called NET AD, created by Mahoney and Chan. NET AD assigns a score to every packet which indicates how anomalous it is compared to other packets. This work improves upon NET AD by considering TCP streams, which consist of a number of packets. If a majority of the packets in a stream is scored as anomalous, the stream is considered malicious. Using the TCP streams gives positive results. 70% of the malicious streams can be detected with the negative effect that 10% of the non-malicious streams also raise an alarm. Nevertheless, more tests need to be conducted in a live environment, or under conditions similar to a live environment to truly assess how well the new system performs.