A Whitelist Based Implementation of Antivirusdefinition File to Detect Unknown Malicious Activity
No Thumbnail Available
Date
2009-01
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
The battle between malware and antivirus makers has been going on since the late 1980’s.
The malware makers are inventing and using different methods to infect, replicate and
propagate to machines and the Malwares have been given classifications like Viruses, worms
,Trojans to name a few. In response the antivirus makes have come up with different
detection mechanisms. Today blacklisting and Heuristics are the dominant technologies used
by Anti-Virus (AV) Scanner engines and Databases. However, the sheer number of computer
viruses and the shift in the internal design of computer Malwares in the last 6 years alone
indicate that a new trend in dealing with malicious activities needs to be addressed.
In this thesis a whitelist based approach to detect unknown malicious activities is addressed.
In this approach a window’s Operating System registry settings and entries are used to build
a whitelist profile on programs exiting on the Personal Computer (PC). Latter on this
information is used to identify new entries in the registry and this will be processed to
identify them as malicious or benign using a statistical based scan engine. The engine uses
suspected programs Input/output (I/O) Read, Write and Other Operation together with
Application Programming Interface (API) Trace to classify it as malware or benign.
A user level scan engine was written and the engine was tested on 40 code generated
malicious programs that include virus’s, worms and Trojans and 30 benign programs
resulting in high true positive detection rate and No false positive detection. The same
sample was processed with commercial Antivirus Software’s including Symantec endpoint,
Avast, AVG and Kaspersky. The thesis detected 95 % of the malwares while the next nearest
match was Symantec endpoint with 67 % detection rate followed by Symantec 10.0 with 38
%. The other product AVG has 11 % detection rate. Kaspersky and Avast Antivirus were not
able to detect any of the malwares. The high detection rate of the thesis scan engine shows
that the methods used can be integrated into a heuristics scan engine to achieve a high true
positive detection rate of unknown malicious activities.
Description
Keywords
Activity