A toolkit for detecting and analyzing malicious software

Weber, Michael; Schmid, Markus; Schatz, M.; Geyer, Dirk

doi:10.1109/csac.2002.1176314

Cited by 26 publications

(16 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At the semantically richer opcode level, Bilar [4] investigated and statistically compared opcode frequency distributions of malicious and non-malicious executables. Weber et al [54] start from the assumption that compiled binaries exhibit homogeneities with respect to several structural features such as instruction frequencies, instruction patterns, memory access, jumpcall distances, entropy metrics and byte-type probabilities and that tampering by malware would disturb these statistical homogeneities.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On callgraphs and generative mechanisms

Bilar

2007

J Comput Virol

View full text Add to dashboard Cite

This paper examines the structural features of callgraphs. The sample consisted of 120 malicious and 280 non-malicious executables. Pareto models were fitted to indegree, outdegree and basic block count distribution, and a statistically significant difference shown for the derived power law exponent. A two-step optimization process involving human designers and code compilers is proposed to account for these structural features of executables.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Analysis of non-graph-based structural features of executables were undertaken by [4,30,54]. Li et al [30] used statistical 1-g analysis of binary byte values to generate a fingerprint (a 'fileprint') for file type identification and classification purposes.…”

Section: Related Workmentioning

confidence: 99%

On callgraphs and generative mechanisms

Bilar

2007

J Comput Virol

View full text Add to dashboard Cite

show abstract

“…"the malicious code detection" [15], and the approach to determine whether malicious code has been inserted [16] to our model, in other words, the information is not used during training the model.…”

Section: Related Workmentioning

confidence: 99%

“…Another research aims to use the Windows Portable Executable (PE) file to determine whether malicious code has been inserted into an application after compilation [16].…”

Section: Related Workmentioning

confidence: 99%

Research on detecting mechanism for Trojan horse based on PE file /

Pan¹

2009

View full text Add to dashboard Cite

As malicious programs, Trojan horses have become a huge threat to computer networks security. Trojan horses can easily cause loss, damage or even theft of data because they are usually disguised as something useful or desirable, and are always mistakenly activated by computer users, corporations and other organizations. Thus, it is important to adopt an effective and efficient method to detect the Trojan horses, and the exploration of a new method of detection is of greater significance.Scientists and experts have tried many approaches to detecting Trojan horses since they realized the harms of the programs. Up to now, these methods fall mainly into two categories [2]. The first category is to detect Trojan horses through checking the port of computers since the Trojan horses send out message through computer ports [2]. However, these methods can only detect the Trojan horses that are just working when detected. The second class is to detect Trojan horses by examining the signatures of files [2] [19], in the same way as people deal with computer virus. As new Trojan horses may contain unknown signatures, methods in this category may not be effective enough when new and unknown Trojan horses appear continuously, sending out unknown signatures that escape detection.For the above-mentioned reasons, without exception, there are limitations in the existing methods if the un-awakened and unknown Trojan horses are to be detected. This thesis proposes a new method that can detect un-awakened and unknown Trojan horses-the detection by using of a file's static characteristics. This thesis takes PE file format as the object of the research, because approximately 75% of personal computers worldwide are installed the Microsoft Windows [4], and that Trojan horses usually exist as a Portable Executable (PE) file in the Windows platform. Based on the (PE) file format, my research gets all the static information of each part of PE file which is characteristic of a file. Then, this static information is analyzed by the intelligent information processing techniques. Next, a detection model is established to estimate whether a PE file is a Trojan horse. This model can detect the unknown Trojan horses by analyzing static characteristics of a file. The information that is used to verify detecting model is new and unknown to the detecting model; in other words, the information is not used during the training of the model.The thesis is organized as follows. First, this thesis discusses the limitations of traditional detection techniques, related works of research, and a new method to detect Trojan horse based on file's static information. Second, the thesis focuses on the research of the Trojan horse detecting models, covering the extracting of the static information from PE file, choice of intelligent information processing techniques, and setting up the Trojan horse detecting model. Lastly, the thesis discusses the direction of future research in this field. ACKNOWLEDGEMENTS

show abstract

“…Analysis of non-graph-based structural features of executables were undertaken by [4,30,54]. Li et al [30] used statistical 1-gram analysis of binary byte values to generate a fingerprint (a 'fileprint') for file type identification and classification purposes.…”

Section: (F)mentioning

confidence: 99%