Autonomic Malware Detection

Canzanese, Raymond (2011) Autonomic Malware Detection. Candidacy Exam. (Unpublished)

Text candidacy_exam.pdf - Published Version Restricted to Registered users only Download (338Kb)

Abstract

The traditional approach to malware detection is primarily signature-based, wherein a file is labeled as malicious if a subset of its content matches a signature in a database. This approach to malware detection requires that malware first be discovered and analyzed before it can be detected. As a result, machines protected solely by a signature-based detector are vulnerable to previously undiscovered, zero-day malware, polymorphic and metamorphic malware, and modified versions of known malware. This paper explores three different solutions to the malware detection problem. The first solution treats the files located on a system as Markov processes of bytes. The detector works under the assumption that the entropy rate measurements for a clean file are normally distributed, and any significant deviation from this distribution is agged as potentially malicious. The second solution treats double words of data as binary features of an executable and trains four different malware detectors using this data. The third solution monitors the operating system calls made by each process running on a live system and builds a database of the observed system call sequences. Software that exhibit system call sequences lying outside this database are labeled as potentially malicious. This paper provides an overview of each of the three approaches, an evaluation of their effectiveness, and a comparison of the performance of the three detectors on our own collection of malware and benign software.

Item Type:	Other
Subjects:	IEEE Subject Areas > Computing and Processing
Depositing User:	Raymond Canzanese
Date Deposited:	13 Feb 2012 19:27
Last Modified:	13 Apr 2012 15:52
URI:	http://dflwww.ece.drexel.edu/archives/id/eprint/36

Actions (login required)

View Item