A Behavior Based Approach to Virus Detection

Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting...

Full description

Bibliographic Details
Main Author: Morales, Jose Andre
Format: Others
Published: FIU Digital Commons 2008
Subjects:
Online Access:http://digitalcommons.fiu.edu/etd/41
http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd
id ndltd-fiu.edu-oai-digitalcommons.fiu.edu-etd-1046
record_format oai_dc
spelling ndltd-fiu.edu-oai-digitalcommons.fiu.edu-etd-10462018-01-05T15:32:35Z A Behavior Based Approach to Virus Detection Morales, Jose Andre Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting known and unknown viruses based on their attempt to replicate. Replication is the qualifying fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. A form of replication called self-reference replication, (SR-replication), has been formalized as one main type of replication which specifically replicates by modifying or creating other files on a system to include the virus itself. This replication type was used to detect viruses attempting replication by referencing themselves which is a necessary step to successfully replicate files. The approach does not require a priori knowledge about known viruses. Detection was accomplished at runtime by monitoring currently executing processes attempting to replicate. Two implementation prototypes of the detection approach called SRRAT were created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services. The research results showed SR-replication capable of distinguishing between file infecting viruses and benign processes with little or no false positives and false negatives. 2008-03-24T07:00:00Z text application/pdf http://digitalcommons.fiu.edu/etd/41 http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd FIU Electronic Theses and Dissertations FIU Digital Commons computer virus behavior based self reference repli
collection NDLTD
format Others
sources NDLTD
topic computer virus behavior based self reference repli
spellingShingle computer virus behavior based self reference repli
Morales, Jose Andre
A Behavior Based Approach to Virus Detection
description Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting known and unknown viruses based on their attempt to replicate. Replication is the qualifying fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. A form of replication called self-reference replication, (SR-replication), has been formalized as one main type of replication which specifically replicates by modifying or creating other files on a system to include the virus itself. This replication type was used to detect viruses attempting replication by referencing themselves which is a necessary step to successfully replicate files. The approach does not require a priori knowledge about known viruses. Detection was accomplished at runtime by monitoring currently executing processes attempting to replicate. Two implementation prototypes of the detection approach called SRRAT were created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services. The research results showed SR-replication capable of distinguishing between file infecting viruses and benign processes with little or no false positives and false negatives.
author Morales, Jose Andre
author_facet Morales, Jose Andre
author_sort Morales, Jose Andre
title A Behavior Based Approach to Virus Detection
title_short A Behavior Based Approach to Virus Detection
title_full A Behavior Based Approach to Virus Detection
title_fullStr A Behavior Based Approach to Virus Detection
title_full_unstemmed A Behavior Based Approach to Virus Detection
title_sort behavior based approach to virus detection
publisher FIU Digital Commons
publishDate 2008
url http://digitalcommons.fiu.edu/etd/41
http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd
work_keys_str_mv AT moralesjoseandre abehaviorbasedapproachtovirusdetection
AT moralesjoseandre behaviorbasedapproachtovirusdetection
_version_ 1718581368435245056