Abstract
While most of the detection techniques used in modern antivirus software need frequent and constant update (engines and databases), modern malware attacks are processed and managed efficiently only a few hours after the malware outbreak. This situation is especially concerning when considering targeted attacks which usually strike targets of high criticity. The aim of this paper is to present a new technique which enabled to detect (binary executable) malware proactively without any prior update neither of the engine nor of the relevant databases. By considering a combinatorial approach that focuses on malware behavior by synthetizing the information contained in the Import Address Table, we have been able to detect unknown malware with a detection probability of 98 % while keeping the false positive rate close to 1 %. This technique has been implemented in the French Antivirus Software Initiative (DAVFI) and has been intensively tested on real cases confirming the detection performances.
This is a preview of subscription content, log in via an institution to check access.
References
Wicherski, G.: peHash: a novel approach to fast malware clustering. In: Proceedins of the 2nd usenix workshop on large-scale exploits and emergent threats (2009)
Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) Recent advances in intrusion detection 2009. Lecture Notes in Computer Science 5758. pp. 101–120. Springer, Berlin (2009)
Bruschi, D., Martignoni, L., Monga, M.: Code normalization for self-mutating malware. IEEE Secur. Priv. 5(2), 46–54 (2007)
Bilar, D.: Opcodes as predicators for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)
Perdisci, R., Lanzi, A., Lee, W.: McBoost, boosting scalability in malware collection and analysis using statistical classification of executables. In: IEEE annual computer security applications conference (ACSAC), pp. 301–310 (2008)
Borello, J.-M.: Study of computer viruses metamorphism: modelling, design and detection. Ph D Thesis, Université de Rennes (2011)
Gheorghescu, M.: An automated virus classification system. In: Virus bulletin conference proceedings, pp. 294–300, Dublin (2005)
Sung, A.H., Xu, J., Chavez, P., Mukkamala, S.: Static analyzer of vicious executables. In: IEEE annual computer security applications conference (ACSAC), pp. 326–334 (2004)
The GNU Multiple Precision Arithmetic Library (2015). https://gmplib.org/
Ferrand, O.: Techniques combinatoires de détection de malware. Ph. D Thesis, Ecole Polytechnique (2016)
DAVFI Project (2012–2014). http://davfi.fr/index_en.html
Maalof, M.A.: Machine learning and data mining for computer security. Springer, Berlin (2006)
Virus Total. https://www.virustotal.com/
Colbourn, C.J., Dinitz, J.H.: Handbook of combinatorial designs. CRC Press (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ferrand, O., Filiol, E. Combinatorial detection of malware by IAT discrimination. J Comput Virol Hack Tech 12, 131–136 (2016). https://doi.org/10.1007/s11416-015-0257-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-015-0257-8