In this paper, we tackle the problem of automated detection of break-ins of new unknown threats such as worms, spyware and adware on personal computers. We propose Break-IN DEtectoR (BINDER), a host-based system that detects break-ins by capturing extrusions, stealthy malicious outgoing network traffic sent by them. To capture extrusions, BINDER correlates outgoing network traffic and process information with user activity. This is a unique characteristic of personal computers in contrast to server computers. Since threats tend to run as background processes and thus do not receive any user input, the intuition behind BINDER is that only processes that receive user input are allowed to make connections. We implemented a prototype of BINDER on Windows 2000/XP and evaluated it on 6 computers used by different individuals for their daily work over 5 weeks. Our results show that BINDER can limit the number of false alarms to at most 5 over 4 weeks on each computer and the false positive rate to less than 0.03%. We also used both real-world and controlled environment to demonstrate BINDER's capability for detecting break-ins. We show that BINDER successfully detects all break-ins caused by three adware and four email worms.




Download Full History