Discovery of Triggering Relations and Its Applications in Network Security and Android Malware Detection

dc.contributor.authorZhang, Haoen
dc.contributor.committeechairYao, Danfeng (Daphne)en
dc.contributor.committeememberNorth, Christopher L.en
dc.contributor.committeememberRamakrishnan, Narenen
dc.contributor.committeememberOu, Xinmingen
dc.contributor.committeememberLou, Wenjingen
dc.contributor.departmentComputer Scienceen
dc.date.accessioned2015-11-30T16:07:33Zen
dc.date.available2015-11-30T16:07:33Zen
dc.date.issued2015-11-30en
dc.description.abstractAn increasing variety of malware, including spyware, worms, and bots, threatens data confidentiality and system integrity on computing devices ranging from backend servers to mobile devices. To address these threats, exacerbated by dynamic network traffic patterns and growing volumes, network security has been undergoing major changes to improve accuracy and scalability in the security analysis techniques. This dissertation addresses the problem of detecting the network anomalies on a single device by inferring the traffic dependence to ensure the root-triggers. In particular, we propose a dependence model for illustrating the network traffic causality. This model depicts the triggering relation of network requests, and thus can be used to reason about the occurrences of network events and pinpoint stealthy malware activities. The triggering relationships can be inferred by means of both rule-based and learning-based approaches. The rule-based approach originates from several heuristic algorithms based on the domain knowledge. The learning-based approach discovers the triggering relationship using a pairwise comparison operation that converts the requests into event pairs with comparable attributes. Machine learning classifiers predict the triggering relationship and further reason about the legitimacy of requests by enforcing their root-triggers. We apply our dependence model on the network traffic from a single host and a mobile device. Evaluated with real-world malware samples and synthetic attacks, our findings confirm that the traffic dependence model provides a significant source of semantic and contextual information that detects zero-day malicious applications. This dissertation also studies the usability of visualizing the traffic causality for domain experts. We design and develop a tool with a visual locality property. It supports different levels of visual based querying and reasoning required for the sensemaking process on complex network data. The significance of this dissertation research is in that it provides deep insights on the dependency of network requests, and leverages structural and semantic information, allowing us to reason about network behaviors and detect stealthy anomalies.en
dc.description.degreePh. D.en
dc.format.mediumETDen
dc.identifier.othervt_gsexam:6666en
dc.identifier.urihttp://hdl.handle.net/10919/64246en
dc.publisherVirginia Techen
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.subjectNetwork Securityen
dc.subjectStealthy Malwareen
dc.subjectAnomaly Detectionen
dc.titleDiscovery of Triggering Relations and Its Applications in Network Security and Android Malware Detectionen
dc.typeDissertationen
thesis.degree.disciplineComputer Science and Applicationsen
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen
thesis.degree.leveldoctoralen
thesis.degree.namePh. D.en

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Zhang_H_D_2015.pdf
Size:
4.19 MB
Format:
Adobe Portable Document Format