Architecture of a morphological malware detector : EICAR 2008
Identifieur interne : 003C87 ( Main/Merge ); précédent : 003C86; suivant : 003C88Architecture of a morphological malware detector : EICAR 2008
Auteurs : Guillaume Bonfante [France] ; Matthieu Kaczmarek [France] ; Jean-Yves Marion [France]Source :
- Journal in computer virology [ 1772-9890 ] ; 2009.
Descripteurs français
- Pascal (Inist)
English descriptors
- KwdEn :
Abstract
Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.
Links toward previous steps (curation, corpus...)
- to stream PascalFrancis, to step Corpus: 000244
- to stream PascalFrancis, to step Curation: 000774
- to stream PascalFrancis, to step Checkpoint: 000253
Links to Exploration step
Pascal:10-0051671Le document en format XML
<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en" level="a">Architecture of a morphological malware detector : EICAR 2008</title>
<author><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
<author><name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
<author><name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">INIST</idno>
<idno type="inist">10-0051671</idno>
<date when="2009">2009</date>
<idno type="stanalyst">PASCAL 10-0051671 INIST</idno>
<idno type="RBID">Pascal:10-0051671</idno>
<idno type="wicri:Area/PascalFrancis/Corpus">000244</idno>
<idno type="wicri:Area/PascalFrancis/Curation">000774</idno>
<idno type="wicri:Area/PascalFrancis/Checkpoint">000253</idno>
<idno type="wicri:explorRef" wicri:stream="PascalFrancis" wicri:step="Checkpoint">000253</idno>
<idno type="wicri:doubleKey">1772-9890:2009:Bonfante G:architecture:of:a</idno>
<idno type="wicri:Area/Main/Merge">003C87</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title xml:lang="en" level="a">Architecture of a morphological malware detector : EICAR 2008</title>
<author><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
<author><name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
<author><name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name>
<affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1>
<s2>54506 Vandœuvre-lès-Nancy</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
<sZ>2 aut.</sZ>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>France</country>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Vandœuvre-lès-Nancy</settlement>
</placeName>
<orgName type="university">Nancy-Université</orgName>
</affiliation>
</author>
</analytic>
<series><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
<imprint><date when="2009">2009</date>
</imprint>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
</seriesStmt>
</fileDesc>
<profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Abstraction</term>
<term>Computer attack</term>
<term>Computer security</term>
<term>Graph transformation</term>
<term>Reverse engineering</term>
<term>Rewriting</term>
<term>Semantic analysis</term>
<term>Syntactic analysis</term>
<term>Tree automaton</term>
</keywords>
<keywords scheme="Pascal" xml:lang="fr"><term>Sécurité informatique</term>
<term>Analyse syntaxique</term>
<term>Attaque informatique</term>
<term>Analyse sémantique</term>
<term>Automate arbre</term>
<term>Rétroingénierie</term>
<term>Abstraction</term>
<term>Réécriture</term>
<term>Transformation graphe</term>
<term>.</term>
</keywords>
</textClass>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en">Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.</div>
</front>
</TEI>
<affiliations><list><country><li>France</li>
</country>
<region><li>Grand Est</li>
<li>Lorraine (région)</li>
</region>
<settlement><li>Vandœuvre-lès-Nancy</li>
</settlement>
<orgName><li>Nancy-Université</li>
</orgName>
</list>
<tree><country name="France"><region name="Grand Est"><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name>
</region>
<name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name>
<name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name>
</country>
</tree>
</affiliations>
</record>
Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Main/Merge
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 003C87 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Merge/biblio.hfd -nk 003C87 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien |wiki= Wicri/Lorraine |area= InforLorV4 |flux= Main |étape= Merge |type= RBID |clé= Pascal:10-0051671 |texte= Architecture of a morphological malware detector : EICAR 2008 }}
![]() | This area was generated with Dilib version V0.6.33. | ![]() |