A New Approach to Malware Detection

Altas

Security and Privacy Protection in Information Processing Systems

2013

Over the decades or so, Anti-Malware (AM) communities have been faced with a substantial increase in malware activity, including the development of ever-more-sophisticated methods of evading detection. Researchers have argued that an AM strategy which is successful in a given time period cannot work at a much later date due to the changes in malware design. Despite this argument, in this paper, we convincingly demonstrate a malware detection approach, which retains high accuracy over an extended time period. To the best of our knowledge, this work is the first to examine malware executables collected over a span of 10 years. By combining both static and dynamic features of malware and cleanware, and accumulating these features over intervals in the 10-year period in our test, we construct a high accuracy malware detection method which retains almost steady accuracy over the period. While the trend is a slight down, our results strongly support the hypothesis that perhaps it is possible to develop a malware detection strategy that can work well enough into the future.

Section: Introductionmentioning

confidence: 74%

Exploring Timeline-Based Malware Classification

Altas

Security and Privacy Protection in Information Processing Systems

2013

“…The work in [15,21,13,2,1,19,14,9] supports the argument that an anti-virus strategy which has been successful in a given time period will not work at a much later date; this, they argue, is due to changes in malware design which evolves with time and eventually becomes unrecognizable from the original form. Their work indicates that current techniques failed to find a distinctive pattern of malicious software which can be used to identify future malware with the level of accuracy required.…”

Section: Introductionmentioning

confidence: 83%

A Comparison of the Classification of Disparate Malware Collected in Different Time Periods

Islam¹,

Tian²,

Moonsamy

et al. 2012

JNW

It has been argued that an anti-virus strategy based on malware collected at a certain date, will not work at a later date because malware evolves rapidly and an anti-virus engine is then faced with a completely new type of executable not as amenable to detection as the first was.

In this paper, we test this idea by collecting two sets of malware, the first from 2002 to 2007, the second from 2009 to 2010 to determine how well the anti-virus strategy we developed based on the earlier set [18] will do on the later set. This anti-virus strategy integrates dynamic and static features extracted from the executables to classify malware by distinguishing between families. We also perform another test, to investigate the same idea whereby we accumulate all the malware executables in the old and new dataset, separately, and apply a malware versus cleanware classification.

The resulting classification accuracies are very close for both datasets, with a difference of approximately 5.4% for both experiments, the older malware being more accurately classified than the newer malware. This leads us to conjecture that current anti-virus strategies can indeed be modified to deal effectively with new malware.

“…As a result, interest continues to grow in methods to improve automatic signature extraction. Semantic approaches [4] [5], in addition to standard dynamic and execution behavior analysis [6] [7], now include methods such as control flow analysis [8] [9], behavior model checking [10] [11], executable graph mining [12] and formal semantic models of analysis [13]. The main problem with a semantic approach is that an infection must occur to produce anomalous behavior.…”

Section: Introductionmentioning

confidence: 99%

Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection

Naidu¹,

Whalley²,

Narayanan³

2017

JIS

Antiviral software systems (AVSs) have problems in identifying polymorphic variants of viruses without explicit signatures for such variants. Alignment-based techniques from bioinformatics may provide a novel way to generate signatures from consensuses found in polymorphic variant code. We demonstrate how multiple sequence alignment supplemented with gap penalties leads to viral code signatures that generalize successfully to previously known polymorphic variants of JS. Cassandra virus and previously unknown polymorphic variants of W32.CTX/W32.Cholera and W32.Kitti viruses. The implications are that future smart AVSs may be able to generate effective signatures automatically from actual viral code by varying gap penalties to cover for both known and unknown polymorphic variants.