Node Behavior Based Fast Malware Detection for Enterprise Networks

Node behavior profiling is a promising tool in many aspects of network security, especially in malware detection. In this paper, based on node behavior profiles proposed in the literature, we propose a fast anomaly detection scheme using SPRT (Sequential Probability Ratio Test) for malware/worm detection. The key idea of this paper is, instead of checking most of the nodes in a network, only a small number of sample nodes are required for detection with the help of SPRT. In our initial studies, we evaluate the fast detection scheme using real enterprise data (LBNL traces). The results show that the fast detection scheme achieves good performances in terms of low false positive and high detection rates.