A theoretical implementation of Blended Program Analysis for virus signature extraction

Usually, two methods are used in order to detect a virus viz. Signature detection and Anomaly detection. In this paper, we´ll talk about the signature extraction process. Virus signatures can be extracted by analyzing the virus in a safe environment usually provided by a sandbox or a virtual machine. We can define the virus analysis as “the action of taking virus apart in order to study it”. The analysis is done by implementing the methods of program analysis. Traditionally, there were two methods of program analysis viz. Static Program Analysis and Dynamic Program Analysis. Recently, a new method has been invented called Blended Program Analysis. This method combines a dynamic representation of the program calling structure, with a static analysis applied to a region of that calling structure with observed performance problems. In the malware´s perspective, a performance problem can be substituted with activities like registry editing or other such activities that result into a system failure. In this paper, we´ll explore the possibilities of extracting the signatures of viruses, including complex viruses such as macro viruses, by making use of Blended Program Analysis. Since, this paper is a theoretical study we won´t be dealing with any kind of experiments or experimental data.