Recognition of Computer Viruses by Detecting Their Gene of Self Replication

Abstract

An approach to the detection of malicious software by detecting its ability to self-replicate is proposed, implemented and tested. The approach is justified by the following realities most malicious programs propagate themselves through the Internet to maximize the impact of the information attack; self-replication of legitimate programs is quite uncommon; number of practical self-replication techniques is quite limited and is to be repeatedly used by new malicious codes. A Source Code Analyzer operating as a specialized compiler (interpreter) and a special syntax library were developed for the detection of self-replication functionality in source codes /scripts prior to execution. Major building blocks of the existing self-replication techniques were defined in the domain of system calls and their attributes, and a procedure for the reconstruction of these blocks by analyzing the flow of system call was established. A dynamic Code Analyzer and System Calls Monitor were developed for the run-time detection of the attempted self-replication in executable and encrypted executable codes. The efficiency of the developed technology, including the ability to detect previously unknown malicious programs has been experimentally demonstrated.

Document Details

Document Type

Technical Report

Publication Date

Mar 01, 2006

Accession Number

ADA448622

Entities

Tags