Student Number:


Anomaly-basedMalware Detection system


The aim of this project is touse measurement based malware detection system to detect networkanomalies through sensor networks. These measurements will facilitatein making comparison analysis on several methods used to detectnetwork malwares using the Sun SPOT devices. The application ofintelligent techniques in detecting network anomalies using sensornetworks is an important aspect focussed by this project.


-To detect anomalies in sensornetwork data using three different measurement approaches

-To assess the sources andtypes of network security threats

-To assess various ways inwhich network security could be improved through Anomaly-based

malware Detection system

-Perform a comparative analysis of the approaches used

Definitionof concepts

Anomaly-basedMalware Detection system thisis a system designed to detect intrusions of harm virus, programs,worms or Trojan in the computer network. The system monitors thenetwork in an attempt to detect the presence or attempts by theharmful malware intruding in the computer system.

Malware thisis a technical term used in computer science and informationtechnology as a short form for malicious software. This malicioussoftware are harmful and disrupts or corrupts computer systems andoperations, gather sensitive information or access sensitiveinformation stored in private computers. Malwares are transmittedthrough computer network. The term malware encompasses all harmfulprograms and different terms are used for these malwares such asworms, Trojan horses, spyware or virus.

Briefdescription of the project (Anomaly-basedintrusion detection system)

Anomaly based Detectionsystem using Sensor Networks

This project involves the useof wireless sensor nodes deployed in network systems to monitor andcollect data on network transmission and intrusion by harmfulmalwares. A wireless sensor network has small independent sensornodes. These sensor nodes have computing power and bandwidth toenhance network monitoring on malware attacks. The sensor networkshave source nodes that broadcast data concerning the networkenvironment. The sensor nodes then compiles the data collectedconcerning abnormal changes in the network and transmit it to basestations. In this way using the statistical anomaly detection it iseasier to detect the types of malware attacks on the network.

Data is collected from thesensor node which is then transmitted to the base station. The basestation serves as a controller in sending requests to sensor nodeswhich is then broadcasted across the network. In order to achievethis network surveillance through data collection using sensor nodesa device known as the Sun Small Programmable Object Technology (SPOT)is used. Java devices are used to the operation of Sun SPOT acrossnetworks through computer hardware and software devices without thesupport of any operating system. Sun SPOT contains a network ofsensors that help in accelerating communication to specified sportson the network. The Sun SPOT device is equipped with sensor boardsthat have light emitting diodes and radio communication for hardwareand software. In this way, the Anomaly-based detection system withthe support of Sun SPOT sensor network can help relay abnormalchanges in the network as well as malware attacks.

In the case of anomaly basedsystem, all activities that deviate from normal network operation andusage signifies presence of intrusions. Using the Sun SPOT devices,it is possible to collect data signals on the performance of network.The data signals are then used to assess the presence of networkintrusions at any given time and network location. The network sensoris then attached to a digital or analogue converter that records andstores the data signals for analysis.


Malware, Anomaly-baseddetection system, attack traffic, Sun SPOT,

Resources/ software used

Sun’s Small ProgrammableObject Technologies (SPOT) devices, Java ME Squawk devices, analog ordigital converter (eDEMO board digitizes)


The increased use ofinformation technology devices that rely on networks forcommunication has significantly led to network security problems.Series of fraudulent attacks and infringement of malicious programson individuals and companies networks have emerged. The traditionalmethods of computer internet protection through the use of softwareencryption and firewalls are no longer effective. The wirelesscomputer network has been subjected to susceptible physicalattackers. Since the traditional techniques of detecting networkintrusion have been rendered ineffective in the modern age, newmethods and techniques of protecting computer applications andnetworks are vital.

Therefore, the increasedreliance on computer systems in data processing and informationstorage needs legitimate network security. This project seeks toassess the vulnerabilities and the mitigation efforts that couldfacilitate effective network security and enhance effective businessoperations without fearing malicious attacks on sensitive businessinformation. Network security is a broad topic but the focus is onhow network security could be enhanced at companies’ office throughAnomaly-based Malware Detectionsystem.


As computer technology andnetworked systems continue to advance, there is rising need fornetwork security. Increased network usage has exposed many firms andindividuals computer systems to malicious programs attacks from theinternet. There is a need for internet security that involves theidentification, authentication, authorization, accountability andauthenticating a computer hardware and network equipment’s.Ramadas, Ostermann and Tjaden, (2003: 3450) are of the view that,network security has to be designed in accordance to organization’sneeds. Most business firms prefer less or no authorisation to accessvital company documents through the internet unless with authorisedcode. As firms continue to spread business functions through thepublic network there is a need for secure and legitimate internetthat guarantees that the information conveyed is not tampered by widerange of internet attacks. As such, the information technologymanager needs to assess the right measures of protecting the businessnetwork infrastructure.

Literature Review

According to informationtechnologist, network attacks are caused by intentional andunintentional intruders on the network (Lee &amp Xiang, 2001: 135).Malware is malicious software that includes intrusive codes thatinterferes with other documents in the computer system. Thesemalicious programs are sometimes referred to as worms, Trojans orantivirus. A malware detector can detect these malicious programsbefore they can lead to significant harm in the computer system.Anomaly detection is a term that refers to the process of findingpatterns that do not conform to expected behaviour in computeroperations (Sekar, Gupta, Frullo, Shanbhag, Tiwari, Yang and. Zhou,2002: 5). Detecting anomalies in the computer network has been aresearch subject for many years, and a number of techniques have beendeveloped.

A key aspect in anomalydetection is by assessing the nature of input data. Increasedpresence in the modern internet infrastructure indicates that mostmalwares are intentionally done by hackers. Studies indicate that,anomaly detection technique one is able to detect deviations fromnormal information transmission (Patcha &amp Park, 2007). Principalcomponent techniques (PAC) were developed in 1933 as a method ofanomaly detection along the network. Other studies indicate that, PCAis a strong anomaly detection technique compared to others (Sekar,Gupta, Frullo, Shanbhag, Tiwari, Yang and. Zhou, 2002: 7). This isbecause PCA is sensitive to network traffic is efficient andaccurate. Caulking, Lee and Wang (2005:150) propose the use of datamining techniques in intrusion detection techniques.

Outcome/product evaluationapproach

  • A detailed report that includes the implementation details, comparative analysis of different approaches and graphs showing both normal and anomalous data changes over the web.

  • Implementation of Intrusion detection system using statistical methods and techniques on Sun SPOT data.

  • An offline data collection system to query sensor network nodes and collect data at regular intervals.

  • A visualization system that is capable of displaying the collected data on a graph displayed over the web.

  • Measurement based statistical analysis system to detect anomalies on the sensor network data collected by the host application server.

  • A visualization system for monitoring the sensor network data and anomalies occurred during the simulation process.

  • Testing the different measurement based approach mentioned above by deploying Sun SPOTs in different environments once an initial model of the algorithm is functioning.

  • A PowerPoint presentation of the project implemented during defence.

Project Plan



Literature Review and Background study

1 February 2015 to 20th February 2015

Feasibility Study

24th February 2015 to 3rd March 2015


23rd March 2015 to 30th March 2015

Initial Prototyping

31st March 2015 to 4th April 2015

Implementation and Design Refinements

5th April 2015 to 16th April 2015

Testing and Data Collection

17th April 2015 to 23rd April 2015

Report Preparation and Submission

25th April 2015 to 28th April 2015

Tentative Defence Date

15th May 2015


Duane DeCapite, (September 2006). Self-Defending Networks: The NextGeneration of Network Security. Cisco Systems, Inc.

GaryStonebumer, Alice Goguen and Alexis Feringa, (July 2002). RiskManagement Guide for Information Technology Systems. Recommendationsof the National Institute of Standards and Technology.

Lee W. &ampXiang D., (2001). Information-theoretic measures for anomalydetection, IEEE Symposium on Security and Privacy (Oakland,California, USA), pp. 130–143.

ManuelMogollon, (2007). Cryptography and Security Services: Mechanisms andapplications. New York: Cybertech Publishing.

Masri W. &ampA. Podgurski (May 2005). Using dynamic information flow analysis todetect attacks against applications. In Proceedings of the 2005Workshop on Software Engineering for secure systems –BuildingTrustworthy Applications, 30 [35]

McGraw G. &amp G. Morrisett (2000). Attacking malicious code: A report to theInfoSec Research council. IEEE Software, 17(5):33–44. [36]

Milenkovic,M. A. Milenkovic &amp E. Jovanov. (March 2005). Using instructionblock signatures to counter code injection attacks. ACM SIGARCHComputer Architecture News, 33:108–117.

Mori, A. T. Izumida, T. Sawada &amp T. Inoue (2006). A tool for analyzing anddetecting Malicious mobile code. In Proceedings of the 28thInternational Conference on Software Engineering, pages 831 – 834.

Noble, C.C. and Cook, D. J. (2003). Graph-based anomaly detection. InProceedingsof the 9th ACMSIGKDD International Conference on Knowledge Discoveryand Data Mining.ACM Press, 631–636.

Odin, T.and Addison, D. (2000). Novelty detection using neural networktechnology. In Proceedingsof the COMADEN Conference.

Otey, M.,Parthasarathy, S., Ghoting, A., Li, G., Narravula, S., And Panda, D.(2003). Towards NIC-based intrusion detection. In Proceedingsof the 9th ACM SIGKDD International Conference on KnowledgeDiscoveryand Data Mining.ACM Press, 723–728.

Patcha, A.And Park, J.-M. (2007). An overview of anomaly detection techniques:Existing solutions and latest technological trends. Compute.Newt. 51,12, 3448–3470.

Phuong, T.V.,Hung, L. X., Cho, S. J., Lee, Y., And Lee, S. (2006). An anomalydetection algorithm for detecting attacks in wireless sensornetworks. Intel.Secur. Inform. 3975,735–736.

Rabek, J.,R. Khazan, S. Lewandowski &amp R. Cunningham (2003). Detection ofinjected, dynamically generated, and obfuscated malicious code. InProceedings of the 2003 ACM Workshop on Rapid Malcode, pages 76–82.

Ramadas,M., Ostermann, S., and Tjaden, B. C. (2003). Detecting anomalousnetwork traffic with self-organizing maps. In Proceedingsof the Conference on Recent Advances in Intrusion Detection.36–54.

Ramaswamy,S., Rastogi, R., And Shim, K. (2000). Efficient algorithms for miningoutliers from large datasets. In Proceedingsof the ACMSIGMOD International Conference on Management of Data.ACM Press, 427–438.

SaadatMalik, (November 2002). Network Security Principles and Practices.Cisco Press, ISBN 1-58705-025-0.

Sekar, R.A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou,(2002). Specification-based anomaly detection: A new approach fordetection network intrusions. ACM Computer and Communication SecurityConference.

Simmonds, A Sandilands, Pvan Ekert, L (2004). Ontology for Network Security Attacks. LectureNotes in Computer Science.Lecture Notes in Computer Science 3285:317–323