BINDER: An Extrusion-based Break-In Detector for Personal Computers

Weidong Cui, Randy H. Katz and Wai-tian Tan

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-04-1352
October 2004

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/CSD-04-1352.pdf

In this paper, we tackle the problem of automated detection of break-ins of new unknown threats such as worms, spyware and adware on personal computers. We propose Break-IN DEtectoR (BINDER), a host-based system that detects break-ins by capturing extrusions, stealthy malicious outgoing network traffic sent by them. To capture extrusions, BINDER correlates outgoing network traffic and process information with user activity. This is a unique characteristic of personal computers in contrast to server computers. Since threats tend to run as background processes and thus do not receive any user input, the intuition behind BINDER is that only processes that receive user input are allowed to make connections. We implemented a prototype of BINDER on Windows 2000/XP and evaluated it on 6 computers used by different individuals for their daily work over 5 weeks. Our results show that BINDER can limit the number of false alarms to at most 5 over 4 weeks on each computer and the false positive rate to less than 0.03%. We also used both real-world and controlled environment to demonstrate BINDER's capability for detecting break-ins. We show that BINDER successfully detects all break-ins caused by three adware and four email worms.

BibTeX citation:

@techreport{Cui:CSD-04-1352,
    Author = {Cui, Weidong and Katz, Randy H. and Tan, Wai-tian},
    Title = {BINDER: An Extrusion-based Break-In Detector for Personal Computers},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2004},
    Month = {Oct},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/6502.html},
    Number = {UCB/CSD-04-1352},
    Abstract = {In this paper, we tackle the problem of automated detection of break-ins of new unknown threats such as worms, spyware and adware on personal computers. We propose Break-IN DEtectoR (BINDER), a host-based system that detects break-ins by capturing extrusions, stealthy malicious outgoing network traffic sent by them. To capture extrusions, BINDER correlates outgoing network traffic and process information with user activity. This is a unique characteristic of personal computers in contrast to server computers. Since threats tend to run as background processes and thus do not receive any user input, the intuition behind BINDER is that only processes that receive user input are allowed to make connections. We implemented a prototype of BINDER on Windows 2000/XP and evaluated it on 6 computers used by different individuals for their daily work over 5 weeks. Our results show that BINDER can limit the number of false alarms to at most 5 over 4 weeks on each computer and the false positive rate to less than 0.03%.  We also used both real-world and controlled environment to demonstrate BINDER's capability for detecting break-ins. We show that BINDER successfully detects all break-ins caused by three adware and four email worms.}
}

EndNote citation:

%0 Report
%A Cui, Weidong
%A Katz, Randy H.
%A Tan, Wai-tian
%T BINDER: An Extrusion-based Break-In Detector for Personal Computers
%I EECS Department, University of California, Berkeley
%D 2004
%@ UCB/CSD-04-1352
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2004/6502.html
%F Cui:CSD-04-1352