Malware is a program with malicious intent that has the potential to harm the machine on which it executes or the network over which it communicates. A malware detector identifies malware. A misuse malware detector (or, alternately, a signature-based malware detector) uses a list of signatures (traditionally known as a signature database). For example, if part of a program matches a signature in the database, the program islabeled as malware. Misuse malware detectors' low false-positive rate and ease of use have led to their widespread deployment. Other approaches for identifying malware have not proved practical as they suffer from high false positive rates (e.g., anomaly detection using statistical methods) or can only provide a post-infection forensic capability (e.g., correlation of network events to detect propagation after infection). Malware writers continuously test the limits of malware detectors in an attempt to discover ways to evade detection. This leads to an ongoing game of one-upmanship, where malware writers find new ways to create undetected malware, and where researchers design new signature-based techniques for detecting such evasive malware. This co-evolution is a result of the theoreticalundecidability of malware detection. This means that, in the currently accepted model of computation, no ideal malware detector exists. The only achievable goal in this scenario is to design better detection techniques that jump ahead of evasion techniques and make the malware writer's task harder.
A Semantics-Based Approach to Malware Detection
DALLA PREDA, Mila;
2007-01-01
Abstract
Malware is a program with malicious intent that has the potential to harm the machine on which it executes or the network over which it communicates. A malware detector identifies malware. A misuse malware detector (or, alternately, a signature-based malware detector) uses a list of signatures (traditionally known as a signature database). For example, if part of a program matches a signature in the database, the program islabeled as malware. Misuse malware detectors' low false-positive rate and ease of use have led to their widespread deployment. Other approaches for identifying malware have not proved practical as they suffer from high false positive rates (e.g., anomaly detection using statistical methods) or can only provide a post-infection forensic capability (e.g., correlation of network events to detect propagation after infection). Malware writers continuously test the limits of malware detectors in an attempt to discover ways to evade detection. This leads to an ongoing game of one-upmanship, where malware writers find new ways to create undetected malware, and where researchers design new signature-based techniques for detecting such evasive malware. This co-evolution is a result of the theoreticalundecidability of malware detection. This means that, in the currently accepted model of computation, no ideal malware detector exists. The only achievable goal in this scenario is to design better detection techniques that jump ahead of evasion techniques and make the malware writer's task harder.
| File | Dimensione | Formato | |
|---|---|---|---|
|
poplfp709-dallapreda.pdf
accesso aperto
Tipologia:
Documento in Pre-print
Licenza:
Accesso ristretto
Dimensione
340.03 kB
Formato
Adobe PDF
|
340.03 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
