Dynamic Malware Detection by Similarity Measures between Behavioral Profiles: An Introduction in French

Author

Borello, Jean-Marie ; Mé, Ludovic ; Filiol, Éric

fYear

2011

fDate

18-21 May 2011

Firstpage

1

Lastpage

8

Abstract

In we have proposed a advance code obfuscation technique for metamorphic codes. In we have shown that the detection of such obfuscated codes was a problem for classical nowadays static detection tools. In this new paper, written in French, we focus on a new dynamic detection approach which allows to detect variants produced by our metamorphic engine. In addition, our approach can detect unknown malware as long as their behavior approaches that of a known malware. For this, we propose to use a measure of similarity between program behaviors. This measure is obtained by lossless compression of execution traces in terms of system calls. This article describes our approach in detail and provides experimental results of detection, first on our own metamorphic sample codes, secondly and more broadly, on a public 5000-malware database.

Keywords

authorisation; invasive software; advance code obfuscation technique; behavioral profile; dynamic malware detection; lossless compression; metamorphic engine; metamorphic sample code; obfuscated code detection; program behavior; public 5000-malware database; static detection tool; Approximation algorithms; Approximation methods; Gold; Loss measurement; Malware; Monitoring; Software;

fLanguage

English

Publisher

ieee

Conference_Titel

Network and Information Systems Security (SAR-SSI), 2011 Conference on

Conference_Location

La Rochelle

Print_ISBN

978-1-4577-0735-3

Type

conf

DOI

10.1109/SAR-SSI.2011.5931398

Filename

5931398