A Method for Detecting Unknown Malicious Executables

Author

Rozenberg, Boris ; Gudes, Ehud ; Elovici, XYuval ; Fledel, Yuval

Author_Institution

Dept. of Comput. Sci., Ben Gurion Univ., Beer-Sheva, Israel

fYear

2011

fDate

16-18 Nov. 2011

Firstpage

190

Lastpage

196

Abstract

We present a method for detecting new malicious executables, which comprise the following steps: (a) in an offline training phase, finding a set of (not necessary consecutive) system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; (b) in a real time detection phase, for each running executable, continuously monitoring its issued system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious. We have evaluated our method and the preliminary results are promising and justify the use of system calls sequences for the purpose of detection of new malicious executables.

Keywords

database management systems; invasive software; sequences; database sequence storing; malicious files; offline training phase; real time detection phase; run-time system calls; unknown malicious executable detection; Accuracy; Databases; Genetic algorithms; Malware; Monitoring; Real time systems; Training; system calls sequences; web malware detection;

fLanguage

English

Publisher

ieee

Conference_Titel

Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on

Conference_Location

Changsha

Print_ISBN

978-1-4577-2135-9

Type

conf

DOI

10.1109/TrustCom.2011.27

Filename

6120819