A Bray-Curtis Weighted Automaton for Detecting Malicious Code Through System-Call Analysis

Malicious code detection is one of the top subjects of interest for intrusion detection systems in today´s computer security research areas. In this paper we propose a new heuristic method for detecting malicious code through system call matching, which also takes in consideration the time of the system call, by using an adaptive search for an extended Aho-Corasick automaton supporting a subset of the regular expressions language, through the use of a normalization technique known as the Bray-Curtis (Sorensen) distance. We will also discuss how this technique can be applied to enrich the set of existing rules from the knowledge base for improving the detection rate.