SlideShare a Scribd company logo

Antimalware

Download as PPTX, PDF
Mayank Chaudhari
Mayank Chaudhari

This session discuss malware detection techniques and obfuscation techniques used by malware writers with special focus on signature based detection.

Engineering
1 of 30
BY MAYANK CHAUDHRI 2016H103014G
 INTRODUCTION  MOTIVATION  DETECTION TECHNIQUES  Signature Based  Anomaly Based  Specification Based  MALWARE OBFUSCATION
 Malware  Malware, short for "malicious software," refers to a type of computer program designed to infect a legitimate user's computer and inflict harm on it in multiple ways  Antimalware  Antimalware software protects against infections caused by many types of malware, including viruses, worms, Trojan horses, rootkits, spyware, key loggers, ransomware and adware.  Obfuscation  The obfuscation is a technique that makes programs harder to understand
 Why do we need to study malwares ?  So are only the computers that can be affected ?  Wait  Does it look fake ?  Virus 666  US patent 6506148 B2  Why do we need antimalware's?
 Techniques used for detecting malware can be categorized broadly in to two categories:  anomaly-based detection  and signature-based detection  An anomaly-based detection technique uses its knowledge of what constitutes normal behavior to decide the maliciousness of a program under inspection  Specification-based techniques leverage some specification or rule set of what is valid behavior in order to decide the maliciousness of a program under inspection  Signature-based detection uses its characterization of what is known to be malicious to decide the maliciousness of a program under inspection
 Static  Static analysis uses syntax or structural properties  A static approach attempts to detect malware before the program under inspection executes  Example strings utility (naïve way)  Dynamic  dynamic approach will leverage runtime information  a dynamic approach attempts to detect malicious behavior during program execution or after program execution  Example Sysinternals suit (naïve way)  Hybrid  In this case, static and dynamic information is used to detect malware
 What is a signature?  The signatures are typically hashes or byte-streams that are used to determine whether a file or buffer contains a malicious payload  Hashes are generated using algorithms like CRC or MD5 which are typically fast and can be calculated many times per second  This is most typical and preferred method employed by antimalware/antivirus  There is a tradeoff between being fast and being accurate
 Byte-Streams  Simplest form of signatures  Signature is a byte-stream that is specific to a malware file and that does not normally appear on non-malicious files  Example:- to detect the European Institute for Computer Anti-Virus Research (EICAR) antivirus testing file, an antivirus engine may simply search for this entire string:  X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  Easiest and fast approach for detection  Many robust and efficient algorithms are present for string matching  Example : Aho-Corasick, Knuth-Morris-Pratt, Boyer-Moore, etc.  This approach is error prone
 Checksums  The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.  An antivirus engine may detect this testing file by calculating the CRC32 checksum of the entire buffer against chunks of data or by analyzing the specific parts of a file format that can be divided  Fast but a lot of false positives due to collisions  Use of modified CRC for detection. But still it gives false positioves  Example :  “petfood” and “eisenhower” have the same CRC32 hash 0xD0132158  Use of custom checksums
 Cryptographic hashes  Follows the 3 main properties of cryptographic hash functions  Generates a “signature” that univocally identifies one buffer and just one buffer  Reduces false positives  More expensive than calculating a CRC32 hash  A single bit change may need to compute a new signature  They are used for recently discovered malwares that are considered critical. Meanwhile stronger signature are being developed
 The aim is to identify a whole family of malwares and reduce false positives  Fuzzy Hashing  Minimal or no diffusion at all  No confusion at all  A good collision rate (depends on application)  Some available hashes  Ssdeep, DeepToad, SpamSum etc.  False positives are possible but less compared to earlier discussed techniques  The are not used independently but used with some sophisticated techniques like bloom filters
 Bypassing such filters is not easy  Attacker needs to change many parts because changing just one bit will not work  The number of changes required to bypass the fuzzy signature depends on the block size and how the block size is chosen  If block size depends on the size of given buffer and is not fixed then it is easier to bypass  Fixed block size based fuzzy signatures are difficult to bypass
 Graph-Based Hashes for Executables  Software program can be divided into two different kinds of graphs  Call graph – Directed graph showing the relationship between all the functions in the program  Flow graph- Directed graph showing the relationship between basic blocks  Antimalware's with code analysis engines may use signatures in the form of graphs using information extracted from call graphs or the flow graphs  This approach is expensive but effective  For better performance limit to some instructions, basic blocks, time-outs  These techniques are powerful for the detection of the polymorphic viruses, while the instructions will be different between different evolutions but the call graphs usually remain stable.
 False positive cases are still possible  Evasion techniques  Change the layout of the call graph  Implement anti-disassembly tricks  Mix anti-disassembly techniques with opaque predicates  Use time-out tricks (make the flow graph as complex as possible)  Example of control flow graph tool  http://github.com/joxeankoret/pyew
 Dynamic signature-based detection is characterized by using solely information gathered during the execution to decide its maliciousness  looks for patterns of behavior that would reveal the true malicious intent of a program.  Signature-based method for worm detection that is based on known malicious behaviors  A state transition based technique for detection
 Uses static and dynamic properties to determine the maliciousness  First executes the program and then apply static signature detection  Example  Worm vs. Worm  Malicious Code Filter
 Anomaly based detection usually occurs in two phases:  Training (learning) phase and  Detection (monitoring) phase  During the training phase the detector attempts to learn the normal behavior .  The detector could be learning the behavior of system, program or both  The key advantage of anomaly based detection is to detect zero-day attacks  Two fundamental problems associated with this approach are  High false alarm rate  Complexity of choosing the features to be learned in training phase
 In dynamic anomaly-based detection, information gathered from the program’s execution is used to detect malicious code  The detection phase monitors the program under inspection during its execution, checking for inconsistencies with what was learned during the training phase  Examples  IDS, using computer forensic methods for Privacy-Invasive Software, monitoring system call sequences, process call sequences  Setting a threshold is a challenging problem to reduce false positive cases
 In static anomaly-based detection, characteristics about the file structure of the program under inspection are used to detect malicious code  A key advantage of static anomaly based detection is that its use may make it possible to detect malware without having to allow the malware carrying program execute on the host system  Data-mining and machine learning approaches are used to detect the malwares  Hybrid anomaly based detection
 Specification-based detection is a type of anomaly-based detection that tries to address the typical high false alarm rate associated with most anomaly-based detection techniques  Specification-based detection attempts to approximate the requirements for an application or system  Training phase is the attainment of some rule set  The main limitation of specification-based detection is that it is often difficult to specify completely and accurately the entire set of valid behaviors a system should exhibit
 Approaches classified as dynamic specification-based use behavior observed at runtime to determine the maliciousness of an executable  Example  Monitoring Security-Critical Programs (using monitored system call events)  Using Dynamic Information Flow to Protect Applications  Process Behavior Monitoring  Using Instruction Block Signatures
 Structural properties of programs are use for detection  Example  Static Detection of Malicious Code in Executables (API- graph)  Compiler Approach to Malcode Detection (certifying compiler)  Detecting Malcode in Firmware  Hybrid specification based detection  Example
 Types of malware obfuscation techniques  Encryption  Exclusive OR  Dead code insertion  Register Reassignment  Subroutine Reordering  Instruction substitution  Code transposition  Code integration  Base64 encoding  Code packing  ROT13
 Encryption  The first approach to evade the signature based antivirus scanners is to use encryption  Exclusive OR  Perform XOR operation with some byte  Base64 Encoding  Base64 is commonly used in malware to disguise text strings  ROT13  Rotate13 a simple letter substitution to jumble text
 Code Packing  A packer is piece of software that takes the original malware file and compresses it  Dead-Code Insertion  Dead-code insertion is a simple technique that adds some ineffective instructions to a program to change its appearance, but keep its behavior  Register Reassignment  Switches registers generation to generation while keeping program behavior same  Subroutine Reordering  Obfuscate an original code by changing the order of its subroutines in a random way.  Example Win32/Ghost
 Instruction Substitution  Evolves an original code by replacing some instruction with other equivalent ones  Code Transposition  Code transposition reorders the sequence of the instructions of an original code without having any impact on its behavior.  Code Integration  Introduced by the Win32/Zmist malware  Malware knits itself to the code of its target program  Decompile the target program into manageable objects , add itself between them and reassembles the integrated code into a new generation.
 Antivirus hackers handbook, Joxean Koret Elias Bachaalany, Willy Publication.  Practical Malware Analysis, Andrew Honig, No Starch Press.  Nwokedi Idika, Aditya P. Mathur, A Survey of Malware Detection Techniques,  Ilsun You , Kangbin Yim, Malware Obfuscation Techniques: A Brief Survey , 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.  defcon-17-sean_taylor-binary_obfuscation.pdf, Defcon 02017.
Antimalware

Recommended

A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
IJNSA Journal
 
Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...UltraUploader
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systems
jyoti_lakhani
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection System
IRJET Journal
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generationUltraUploader
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and Detection
Grijesh Chauhan
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learning
jaigera
 
Ids 013 detection approaches
Ids 013 detection approachesIds 013 detection approaches
Ids 013 detection approaches
jyoti_lakhani
 

Recommended

A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
IJNSA Journal
 
Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...UltraUploader
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systems
jyoti_lakhani
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection System
IRJET Journal
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generationUltraUploader
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and Detection
Grijesh Chauhan
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learning
jaigera
 
Ids 013 detection approaches
Ids 013 detection approachesIds 013 detection approaches
Ids 013 detection approaches
jyoti_lakhani
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
Full Stack Developer at Electro Mizan Andisheh
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
IJET - International Journal of Engineering and Techniques
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesUltraUploader
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Wojciech Podgórski
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
amiable_indian
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
ijcsit
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Programmer
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Jowin John Chemban
 
4
44
4
aniketnimaje
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detectionbutest
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
5
55
5
aniketnimaje
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion DetectionGregory Hanis
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
IJCSEA Journal
 
Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages
Gowtham Chandra
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...UltraUploader
 
Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
Akash Karwande
 
What Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadWhat Are The Types of Malware? Must Read
What Are The Types of Malware? Must Read
Bytecode Security
 

More Related Content

What's hot

Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
Full Stack Developer at Electro Mizan Andisheh
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
IJET - International Journal of Engineering and Techniques
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesUltraUploader
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Wojciech Podgórski
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
amiable_indian
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
ijcsit
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Programmer
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Jowin John Chemban
 
4
44
4
aniketnimaje
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detectionbutest
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
5
55
5
aniketnimaje
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
IJCSEA Journal
 
Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages
Gowtham Chandra
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...UltraUploader
 

What's hot (20)

Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signatures
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
 
4
44
4
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognition
 
5
55
5
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
 
Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...
 

Similar to Antimalware

Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
Akash Karwande
 
What Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadWhat Are The Types of Malware? Must Read
What Are The Types of Malware? Must Read
Bytecode Security
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
IJNSA Journal
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
Somanath Kavalase
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Malware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docxMalware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docx
infantsuk
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Presentation (1).pptx
Presentation (1).pptxPresentation (1).pptx
Presentation (1).pptx
RanjithCherry1
 
Presentation.pptx..................................
Presentation.pptx..................................Presentation.pptx..................................
Presentation.pptx..................................
Shivakrishnan18
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET Journal
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
Rineri1
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)
IOSR Journals
 
Autonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer NetworksAutonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer Networks
ijsrd.com
 
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Shakas Technologies
 
The Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdfThe Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdf
SecurityDetectionSol
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
IOSR Journals
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 

Similar to Antimalware (20)

Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
What Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadWhat Are The Types of Malware? Must Read
What Are The Types of Malware? Must Read
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Malware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docxMalware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docx
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Presentation (1).pptx
Presentation (1).pptxPresentation (1).pptx
Presentation (1).pptx
 
Presentation.pptx..................................
Presentation.pptx..................................Presentation.pptx..................................
Presentation.pptx..................................
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)
 
Autonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer NetworksAutonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer Networks
 
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
 
The Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdfThe Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdf
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flows
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 

Recently uploaded

Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
AmarGB2
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
WENKENLI1
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
SupreethSP4
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
zwunae
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
ongomchris
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 

Recently uploaded (20)

Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 

Antimalware

  • 2.  INTRODUCTION  MOTIVATION  DETECTION TECHNIQUES  Signature Based  Anomaly Based  Specification Based  MALWARE OBFUSCATION
  • 3.  Malware  Malware, short for "malicious software," refers to a type of computer program designed to infect a legitimate user's computer and inflict harm on it in multiple ways  Antimalware  Antimalware software protects against infections caused by many types of malware, including viruses, worms, Trojan horses, rootkits, spyware, key loggers, ransomware and adware.  Obfuscation  The obfuscation is a technique that makes programs harder to understand
  • 4.  Why do we need to study malwares ?  So are only the computers that can be affected ?  Wait  Does it look fake ?  Virus 666  US patent 6506148 B2  Why do we need antimalware's?
  • 5.
  • 6.  Techniques used for detecting malware can be categorized broadly in to two categories:  anomaly-based detection  and signature-based detection  An anomaly-based detection technique uses its knowledge of what constitutes normal behavior to decide the maliciousness of a program under inspection  Specification-based techniques leverage some specification or rule set of what is valid behavior in order to decide the maliciousness of a program under inspection  Signature-based detection uses its characterization of what is known to be malicious to decide the maliciousness of a program under inspection
  • 7.  Static  Static analysis uses syntax or structural properties  A static approach attempts to detect malware before the program under inspection executes  Example strings utility (naïve way)  Dynamic  dynamic approach will leverage runtime information  a dynamic approach attempts to detect malicious behavior during program execution or after program execution  Example Sysinternals suit (naïve way)  Hybrid  In this case, static and dynamic information is used to detect malware
  • 8.  What is a signature?  The signatures are typically hashes or byte-streams that are used to determine whether a file or buffer contains a malicious payload  Hashes are generated using algorithms like CRC or MD5 which are typically fast and can be calculated many times per second  This is most typical and preferred method employed by antimalware/antivirus  There is a tradeoff between being fast and being accurate
  • 9.  Byte-Streams  Simplest form of signatures  Signature is a byte-stream that is specific to a malware file and that does not normally appear on non-malicious files  Example:- to detect the European Institute for Computer Anti-Virus Research (EICAR) antivirus testing file, an antivirus engine may simply search for this entire string:  X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  Easiest and fast approach for detection  Many robust and efficient algorithms are present for string matching  Example : Aho-Corasick, Knuth-Morris-Pratt, Boyer-Moore, etc.  This approach is error prone
  • 10.
  • 11.  Checksums  The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.  An antivirus engine may detect this testing file by calculating the CRC32 checksum of the entire buffer against chunks of data or by analyzing the specific parts of a file format that can be divided  Fast but a lot of false positives due to collisions  Use of modified CRC for detection. But still it gives false positioves  Example :  “petfood” and “eisenhower” have the same CRC32 hash 0xD0132158  Use of custom checksums
  • 12.  Cryptographic hashes  Follows the 3 main properties of cryptographic hash functions  Generates a “signature” that univocally identifies one buffer and just one buffer  Reduces false positives  More expensive than calculating a CRC32 hash  A single bit change may need to compute a new signature  They are used for recently discovered malwares that are considered critical. Meanwhile stronger signature are being developed
  • 13.  The aim is to identify a whole family of malwares and reduce false positives  Fuzzy Hashing  Minimal or no diffusion at all  No confusion at all  A good collision rate (depends on application)  Some available hashes  Ssdeep, DeepToad, SpamSum etc.  False positives are possible but less compared to earlier discussed techniques  The are not used independently but used with some sophisticated techniques like bloom filters
  • 14.  Bypassing such filters is not easy  Attacker needs to change many parts because changing just one bit will not work  The number of changes required to bypass the fuzzy signature depends on the block size and how the block size is chosen  If block size depends on the size of given buffer and is not fixed then it is easier to bypass  Fixed block size based fuzzy signatures are difficult to bypass
  • 15.  Graph-Based Hashes for Executables  Software program can be divided into two different kinds of graphs  Call graph – Directed graph showing the relationship between all the functions in the program  Flow graph- Directed graph showing the relationship between basic blocks  Antimalware's with code analysis engines may use signatures in the form of graphs using information extracted from call graphs or the flow graphs  This approach is expensive but effective  For better performance limit to some instructions, basic blocks, time-outs  These techniques are powerful for the detection of the polymorphic viruses, while the instructions will be different between different evolutions but the call graphs usually remain stable.
  • 16.  False positive cases are still possible  Evasion techniques  Change the layout of the call graph  Implement anti-disassembly tricks  Mix anti-disassembly techniques with opaque predicates  Use time-out tricks (make the flow graph as complex as possible)  Example of control flow graph tool  http://github.com/joxeankoret/pyew
  • 17.  Dynamic signature-based detection is characterized by using solely information gathered during the execution to decide its maliciousness  looks for patterns of behavior that would reveal the true malicious intent of a program.  Signature-based method for worm detection that is based on known malicious behaviors  A state transition based technique for detection
  • 18.  Uses static and dynamic properties to determine the maliciousness  First executes the program and then apply static signature detection  Example  Worm vs. Worm  Malicious Code Filter
  • 19.  Anomaly based detection usually occurs in two phases:  Training (learning) phase and  Detection (monitoring) phase  During the training phase the detector attempts to learn the normal behavior .  The detector could be learning the behavior of system, program or both  The key advantage of anomaly based detection is to detect zero-day attacks  Two fundamental problems associated with this approach are  High false alarm rate  Complexity of choosing the features to be learned in training phase
  • 20.  In dynamic anomaly-based detection, information gathered from the program’s execution is used to detect malicious code  The detection phase monitors the program under inspection during its execution, checking for inconsistencies with what was learned during the training phase  Examples  IDS, using computer forensic methods for Privacy-Invasive Software, monitoring system call sequences, process call sequences  Setting a threshold is a challenging problem to reduce false positive cases
  • 21.  In static anomaly-based detection, characteristics about the file structure of the program under inspection are used to detect malicious code  A key advantage of static anomaly based detection is that its use may make it possible to detect malware without having to allow the malware carrying program execute on the host system  Data-mining and machine learning approaches are used to detect the malwares  Hybrid anomaly based detection
  • 22.  Specification-based detection is a type of anomaly-based detection that tries to address the typical high false alarm rate associated with most anomaly-based detection techniques  Specification-based detection attempts to approximate the requirements for an application or system  Training phase is the attainment of some rule set  The main limitation of specification-based detection is that it is often difficult to specify completely and accurately the entire set of valid behaviors a system should exhibit
  • 23.  Approaches classified as dynamic specification-based use behavior observed at runtime to determine the maliciousness of an executable  Example  Monitoring Security-Critical Programs (using monitored system call events)  Using Dynamic Information Flow to Protect Applications  Process Behavior Monitoring  Using Instruction Block Signatures
  • 24.  Structural properties of programs are use for detection  Example  Static Detection of Malicious Code in Executables (API- graph)  Compiler Approach to Malcode Detection (certifying compiler)  Detecting Malcode in Firmware  Hybrid specification based detection  Example
  • 25.  Types of malware obfuscation techniques  Encryption  Exclusive OR  Dead code insertion  Register Reassignment  Subroutine Reordering  Instruction substitution  Code transposition  Code integration  Base64 encoding  Code packing  ROT13
  • 26.  Encryption  The first approach to evade the signature based antivirus scanners is to use encryption  Exclusive OR  Perform XOR operation with some byte  Base64 Encoding  Base64 is commonly used in malware to disguise text strings  ROT13  Rotate13 a simple letter substitution to jumble text
  • 27.  Code Packing  A packer is piece of software that takes the original malware file and compresses it  Dead-Code Insertion  Dead-code insertion is a simple technique that adds some ineffective instructions to a program to change its appearance, but keep its behavior  Register Reassignment  Switches registers generation to generation while keeping program behavior same  Subroutine Reordering  Obfuscate an original code by changing the order of its subroutines in a random way.  Example Win32/Ghost
  • 28.  Instruction Substitution  Evolves an original code by replacing some instruction with other equivalent ones  Code Transposition  Code transposition reorders the sequence of the instructions of an original code without having any impact on its behavior.  Code Integration  Introduced by the Win32/Zmist malware  Malware knits itself to the code of its target program  Decompile the target program into manageable objects , add itself between them and reassembles the integrated code into a new generation.
  • 29.  Antivirus hackers handbook, Joxean Koret Elias Bachaalany, Willy Publication.  Practical Malware Analysis, Andrew Honig, No Starch Press.  Nwokedi Idika, Aditya P. Mathur, A Survey of Malware Detection Techniques,  Ilsun You , Kangbin Yim, Malware Obfuscation Techniques: A Brief Survey , 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.  defcon-17-sean_taylor-binary_obfuscation.pdf, Defcon 02017.