Check out the new USENIX Web site. next up previous
Next: Monitoring the Propagation of Up: Incorporation into Procmail Previous: Borderline Cases

Update Algorithms

This system will require updates periodically, and in the following section we detail the update algorithm. After a number of borderline cases have been received, it is necessary to generate a new detection model, and subsequently distribute updated models.

A new model is first generated by running the data mining algorithm on the new data set that contained the borderline cases along with their correct classification, and the previous data set. This model will then be distributed.

Updating the models is accomplished by distributing portions of the models that changed, and not the entire model. This is important because the detection models are large. In order to avoid constantly sending a large model to the filters, the administrator has the option of receiving this smaller file. Using the update algorithm, the older model can then be updated. The full model will also be available to provide additional options for the system administrator.

Efficient update of the model is possible because the underlying representation of the models is probabilistic. As is explained later, the model is a count of the number of times that each byte string appears in a malicious program versus the number of times that it appears in a benign program. An update model can then be easily summed with the older model to create a new model.

In future versions of MEF, the model will be made available for the system administrator on a public ftp site. If a system administrator subscribes to the mailing list then when a new model is made available, the system administrator will receive an email. The email will detail where the model is located, what version it is, and include a form of authentication. At the ftp site the model will be available to download as either an upgrade from a previous version, or as a full model. An archive of old models will also be kept on the ftp site.

There are also a host of options for automatically receiving the updates. One way to distribute the email is just to attach the update to the notification email. Then the administrator could update the model later without having to ftp it. In the future, a program included in the email filter could automatically poll the central server to see if a new model is available and then download it and update the current model. These last methods have not yet been implemented.


next up previous
Next: Monitoring the Propagation of Up: Incorporation into Procmail Previous: Borderline Cases
Matthew G. Schultz
2001-05-01