worm blog: Detection of New Malicious Code Using N-grams Signatures

« SMB Shares and Worms - A Parasitic Relationship? | Main | ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control »

Detection of New Malicious Code Using N-grams Signatures

This paper takes a somewhat uncommon approach to signature-based detection methods, namely breaking up the detection process. Few people go this route, so it's interesting to study it's efficacy.

Signature-based malicious code detection is the standard technique in all commercial anti-virus software. This method can detect a virus only after the virus has appeared and caused damage. Signature-based detection performs poorly when attempting to identify new viruses. Motivated by the standard signature-based technique for detecting viruses, and a recent successful text classification method, n-grams analysis, we explore the idea of automatically detecting new malicious code. We employ n-grams analysis to automatically generate signatures from malicious and benign software collections. The n-gramsbased signatures are capable of classifying unseen benign and malicious code. The datasets used are large compared to earlier applications of n-grams analysis.

Source: Detection of New Malicious Code Using N-grams Signatures, by Tony Abou-Assaleh, Nick Cercone, Vlado Keselj, and Ray Sweidan.

July 25, 2005 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit