Title :
A Similarity based Technique for Detecting Malicious Executable files for Computer Forensics
Author :
Park, Jun-Hyung ; Kim, Minsoo ; Noh, Bong-Nam ; Joshi, James B.D.
Author_Institution :
Sch. of Inf. Sci., Pittsburgh Univ., PA
Abstract :
With the rapidly increasing complexity of computer systems and the sophistication of hacking tools and techniques, there is a crucial need for computer forensic analysis techniques. Very few techniques exist to support forensic analysis of unknown executable files. The existing techniques primarily inspect executable files to detect known signatures or are based on metadata information. A key goal of such forensic investigation is to identify malicious executable files that hackers might have installed in a targeted system. Finding such malware in a compromised system is difficult because it is hard to identify the purpose of the fragments of executable files. In this paper, we present a similarity-based technique that analyzes targeted executable files to identify a malware present in a compromised system. The technique involves assigning a similarity value to the fragments of executable files present in a compromised hard disk against a set of source files. We present some results based on the comparison of assembly instruction sequences of well-known hacking tools with those of various executable files, and suggest various ways to reduce the false positives
Keywords :
computer crime; invasive software; assembly instruction sequence; computer forensics; hacking tool; malicious executable file detection; malware; similarity based technique; Assembly; Computer aided instruction; Computer crime; Computer hacking; File systems; Forensics; Hard disks; Information analysis; Information science; Protection; assembly instruction code; computer forensics; malicious program; similarity;
Conference_Titel :
Information Reuse and Integration, 2006 IEEE International Conference on
Conference_Location :
Waikoloa Village, HI
Print_ISBN :
0-7803-9788-6
DOI :
10.1109/IRI.2006.252411
