Active learning to improve the detection of unknown computer worms activity

Detecting unknown worms is a challenging task. We propose an innovative technique for detecting the presence of an unknown worm based on the computer measurements extracted from the operating system. We designed an experiment to test the new technique employing several computer configurations and background applications activity. During the experiments 323 computer features were monitored. Four feature selection measures were used to reduce the number of features. We applied support vector machines on the resulting feature subsets. In addition, we used active learning as a selective sampling method to increase the performance of the classifier and improve its robustness in noisy data. Our results indicate that using the proposed approach resulted in a mean accuracy in excess of 90%, and for specific unknown worms accuracy reached above 94%, using just 20 features while maintaining a low false positive rate.