A behavior based approach to virus detection

Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown viruses quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting known and unknown viruses based on their attempt to replicate. Replication is the qualifying fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. A form of replication called self-reference replication, (SR-replication), has been formalized as one main type of replication which specifically replicates by modifying or creating other files on a system to include the virus itself. This replication type was used to detect viruses attempting replication by referencing themselves which is a necessary step to successfully replicate files. The approach does not require a priori knowledge about known viruses. Detection was accomplished at runtime by monitoring currently executing processes attempting to replicate. Two implementation prototypes of the detection approach called SRRAT were created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services. The research results showed SR-replication capable of distinguishing between file infecting viruses and benign processes with little or no false positives and false negatives.

[1]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[2]  A. Kohn [Computer viruses]. , 1989, Harefuah.

[3]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[4]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[5]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[6]  Massimo Bernaschi,et al.  Remus: a security-enhanced operating system , 2002, TSEC.

[7]  Mourad Debbabi,et al.  Static analysis of binary code to isolate malicious behaviors , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[8]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[9]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  Eric Filiol,et al.  Malware Pattern Scanning Schemes Secure Against Black-box Analysis , 2006, Journal in Computer Virology.

[11]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[12]  Arun Lakhotia,et al.  Analysis and detection of computer viruses and worms: an annotated bibliography , 2002, SIGP.

[13]  A. Conry-Murray Product focus: Behavior-blocking stops unknown malicious code , 2002 .

[14]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[15]  E. F. Codd,et al.  Cellular automata , 1968 .

[16]  Ric Vieler Professional Rootkits , 2007 .

[17]  Stephen Cole Kleene,et al.  On notation for ordinal numbers , 1938, Journal of Symbolic Logic.

[18]  Gary Nebbett Windows NT/2000 Native API Reference , 2000 .

[19]  Peter J. Clarke,et al.  Characterization of virus replication , 2007, Journal in Computer Virology.

[20]  C. Langton Self-reproduction in cellular automata , 1984 .

[21]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[22]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[23]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[24]  Leonard M. Adleman,et al.  An Abstract Theory of Computer Viruses , 1988, CRYPTO.

[25]  Peter J. Clarke,et al.  Characterizing and Detecting Virus Replication , 2008, Third International Conference on Systems (icons 2008).

[26]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[27]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[28]  Peter J. Clarke,et al.  Testing and evaluating virus detectors for handheld devices , 2006, Journal in Computer Virology.

[29]  Donald Golden,et al.  The structure of microcomputer file systems , 1986, CACM.

[30]  John von Neumann,et al.  Theory Of Self Reproducing Automata , 1967 .

[31]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[32]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[33]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[34]  alain stevens Computer crime costs $67 billion, FBI says , 2007 .

[35]  Victor A. Skormin,et al.  Prevention of Information Attacks by Run-Time Detection of Self-replication in Computer Codes , 2005, MMM-ACNS.

[36]  Arthur W. Burks,et al.  Essays on cellular automata , 1970 .