论文信息 - Combinatorial detection of malware by IAT discrimination

Combinatorial detection of malware by IAT discrimination

While most of the detection techniques used in modern antivirus software need frequent and constant update (engines and databases), modern malware attacks are processed and managed efficiently only a few hours after the malware outbreak. This situation is especially concerning when considering targeted attacks which usually strike targets of high criticity. The aim of this paper is to present a new technique which enabled to detect (binary executable) malware proactively without any prior update neither of the engine nor of the relevant databases. By considering a combinatorial approach that focuses on malware behavior by synthetizing the information contained in the Import Address Table, we have been able to detect unknown malware with a detection probability of 98 % while keeping the false positive rate close to 1 %. This technique has been implemented in the French Antivirus Software Initiative (DAVFI) and has been intensively tested on real cases confirming the detection performances.

Eric Filiol | Olivier Ferrand

[1] Andrew H. Sung,et al. Static analyzer of vicious executables (SAVE) , 2004, 20th Annual Computer Security Applications Conference.

[2] Mattia Monga,et al. Code Normalization for Self-Mutating Malware , 2007, IEEE Security & Privacy.

[3] Wenke Lee,et al. McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[4] Marius Gheorghescu. AN AUTOMATED VIRUS CLASSIFICATION SYSTEM , 2006 .

[5] Tommy Färnqvist. Number Theory Meets Cache Locality – Efficient Implementation of a Small Prime FFT for the GNU Multiple Precision Arithmetic Library , 2005 .

[6] Georg Wicherski,et al. peHash: A Novel Approach to Fast Malware Clustering , 2009, LEET.

[7] C. Colbourn,et al. Handbook of Combinatorial Designs , 2006 .

[8] Tzi-cker Chiueh,et al. Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[9] Daniel Bilar,et al. Opcodes as predictor for malware , 2007, Int. J. Electron. Secur. Digit. Forensics.

[10] Marcus A. Maloof,et al. Machine Learning and Data Mining for Computer Security , 2006 .