AAU-ETD AAU-ETD
 

Addis Ababa University Libraries Electronic Thesis and Dissertations: AAU-ETD! >
Faculty of Technology >
Thesis - Computer Engineering  >

Please use this identifier to cite or link to this item: http://hdl.handle.net/123456789/2795

Title: A WHITELIST BASED IMPLEMENTATION OF ANTIVIRUS- DEFINITION FILE TO DETECT UNKNOWN MALICIOUS ACTIVITY
Authors: Yishak, Ibrahim
Advisors: Dr. Manoj V.N.V
Keywords: WHITELIST BASED
ANTIVIRUS- DEFINITION
Copyright: Jan-2009
Date Added: 8-May-2012
Publisher: AAU
Abstract: The battle between malware and antivirus makers has been going on since the late 1980’s. The malware makers are inventing and using different methods to infect, replicate and propagate to machines and the Malwares have been given classifications like Viruses, worms ,Trojans to name a few. In response the antivirus makes have come up with different detection mechanisms. Today blacklisting and Heuristics are the dominant technologies used by Anti-Virus (AV) Scanner engines and Databases. However, the sheer number of computer viruses and the shift in the internal design of computer Malwares in the last 6 years alone indicate that a new trend in dealing with malicious activities needs to be addressed. In this thesis a whitelist based approach to detect unknown malicious activities is addressed. In this approach a window’s Operating System registry settings and entries are used to build a whitelist profile on programs exiting on the Personal Computer (PC). Latter on this information is used to identify new entries in the registry and this will be processed to identify them as malicious or benign using a statistical based scan engine. The engine uses suspected programs Input/output (I/O) Read, Write and Other Operation together with Application Programming Interface (API) Trace to classify it as malware or benign. A user level scan engine was written and the engine was tested on 40 code generated malicious programs that include virus’s, worms and Trojans and 30 benign programs resulting in high true positive detection rate and No false positive detection. The same sample was processed with commercial Antivirus Software’s including Symantec endpoint, Avast, AVG and Kaspersky. The thesis detected 95 % of the malwares while the next nearest match was Symantec endpoint with 67 % detection rate followed by Symantec 10.0 with 38 %. The other product AVG has 11 % detection rate. Kaspersky and Avast Antivirus were not able to detect any of the malwares. The high detection rate of the thesis scan engine shows that the methods used can be integrated into a heuristics scan engine to achieve a high true positive detection rate of unknown malicious activities.
URI: http://hdl.handle.net/123456789/2795
Appears in:Thesis - Computer Engineering

Files in This Item:

File Description SizeFormat
70665392559777364505190208019343608694645.24 kBAdobe PDFView/Open

Items in the AAUL Digital Library are protected by copyright, with all rights reserved, unless otherwise indicated.

 

  Last updated: May 2010. Copyright © Addis Ababa University Libraries - Feedback