Malware Pattern Scanning Schemes Secure Against Black-box Analysis

Filiol, Éric

doi:10.1007/s11416-006-0009-x

Cited by 70 publications

(56 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Their work presents a strong mathematical basis to define different types of behavior and is an extension of a previous work that was only able to handle sequences of bytes [8]. The limiting factor is that their new approach requires the malware's source code, which is sometimes difficult to obtain.…”

Section: Related Workmentioning

confidence: 99%

Pinpointing Malicious Activities through Network and System-Level Malware Execution Behavior

Grégio

Afonso

Filho

et al. 2012

Computational Science and Its Applications – ICCSA 2012

View full text Add to dashboard Cite

Abstract. Malicious programs pose a major threat to Internet-connected systems, increasing the importance of studying their behavior in order to fight against them. In this paper, we propose definitions to the different types of behavior that a program can present during its execution. Based on those definitions, we define suspicious behavior as the group of actions that change the state of a target system. We also propose a set of network and system-level dangerous activities that can be used to denote the malignity in suspicious behaviors, which were extracted from a large set of malware samples. In addition, we evaluate the malware samples according to their suspicious behavior. Moreover, we developed filters to translate from lower-level execution traces to the observed dangerous activities and evaluated them in the context of actual malware.

show abstract

Section: Related Workmentioning

confidence: 99%

Pinpointing Malicious Activities through Network and System-Level Malware Execution Behavior

Grégio

Afonso

Filho

et al. 2012

Computational Science and Its Applications – ICCSA 2012

View full text Add to dashboard Cite

show abstract

“…Filiol [26] address the problem that commercially available anti-viruses are not resistant against black-box analysis. He suggested generating multiple sub-signatures that are randomly selected from a longer signature.…”

Section: Related Work On Automatic Signature Generation (Asg)mentioning

confidence: 99%

“…Various techniques have been proposed to derive malware signatures automatically, including among others: vulnerability-based signatures [1]; payload-based signatures ( [7]; [19]); content sifting [17]; semantic-aware signatures [21]; The Amd algorithm [2]; Honeypot-based signatures ([8]; [15]; [18]), and polymorphic content-based signatures [14] [26]. These studies examine code by matching and analyzing the distribution of string patterns in communication packets; classifying unsuccessful connections; and modeling invariant code structures.…”

Section: Introductionmentioning

confidence: 99%

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

Tahan¹,

Glezer²,

Elovici³

et al. 2009

J Comput Virol

View full text Add to dashboard Cite

This research proposes a novel automatic method (termed Auto-Sign) for extracting unique signatures of malware executables to be used by high-speed malware filtering devices based on deep-packet inspection and operating in real-time. Contrary to extant string and tokenbased signature generation methods, we implemented Auto-Sign an automatic signature generation method that can be used on large-size malware by disregarding signature candidates which appear in benign executables. Results from experimental evaluation of the proposed method suggest that picking a collection of executables which closely represents commonly used code, plays a key role in achieving highly specific signatures which yield low false positives.

show abstract

“…Additionally, it was found that above 15% of the files in the KaZaA network contained malicious code 2 . Thus, we assume that the percentage of malicious files in real life is about or less than 10%, but we also consider other possible percentages.…”

Section: Introductionmentioning

confidence: 99%

Unknown malcode detection and the imbalance problem

Moskovitch¹,

Stopel²,

Feher³

et al. 2009

J Comput Virol

View full text Add to dashboard Cite

Abstract. The recent growth in network usage has motivated the creation of new malicious code for various purposes. Today's signature-based antiviruses are very accurate for known malicious code, but can not detect new malicious code. Recently, classification algorithms were used successfully for the detection of unknown malicious code. But, these studies involved a test collection with a limited size and the same malicious: benign file ratio in both the training and test sets, a situation which does not reflect real-life conditions. We present a methodology for the detection of unknown malicious code, which examines concepts from text categorization, based on n-grams extraction from the binary code and feature selection. We performed an extensive evaluation, consisting of a test collection of more than 30,000 files, in which we investigated the class imbalance problem. In real-life scenarios, the malicious file content is expected to be low, about 10% of the total files. For practical purposes, it is unclear as to what the corresponding percentage in the training set should be. Our results indicate that greater than 95% accuracy can be achieved through the use of a training set that has a malicious file content of less than 33.3%.

show abstract

Malware Pattern Scanning Schemes Secure Against Black-box Analysis

Cited by 70 publications

References 17 publications

Pinpointing Malicious Activities through Network and System-Level Malware Execution Behavior

Pinpointing Malicious Activities through Network and System-Level Malware Execution Behavior

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

Unknown malcode detection and the imbalance problem

Contact Info

Product

Resources

About