A Behavior Based Approach to Virus Detection
Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting...
Main Author: | |
---|---|
Format: | Others |
Published: |
FIU Digital Commons
2008
|
Subjects: | |
Online Access: | http://digitalcommons.fiu.edu/etd/41 http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd |
id |
ndltd-fiu.edu-oai-digitalcommons.fiu.edu-etd-1046 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-fiu.edu-oai-digitalcommons.fiu.edu-etd-10462018-01-05T15:32:35Z A Behavior Based Approach to Virus Detection Morales, Jose Andre Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting known and unknown viruses based on their attempt to replicate. Replication is the qualifying fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. A form of replication called self-reference replication, (SR-replication), has been formalized as one main type of replication which specifically replicates by modifying or creating other files on a system to include the virus itself. This replication type was used to detect viruses attempting replication by referencing themselves which is a necessary step to successfully replicate files. The approach does not require a priori knowledge about known viruses. Detection was accomplished at runtime by monitoring currently executing processes attempting to replicate. Two implementation prototypes of the detection approach called SRRAT were created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services. The research results showed SR-replication capable of distinguishing between file infecting viruses and benign processes with little or no false positives and false negatives. 2008-03-24T07:00:00Z text application/pdf http://digitalcommons.fiu.edu/etd/41 http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd FIU Electronic Theses and Dissertations FIU Digital Commons computer virus behavior based self reference repli |
collection |
NDLTD |
format |
Others
|
sources |
NDLTD |
topic |
computer virus behavior based self reference repli |
spellingShingle |
computer virus behavior based self reference repli Morales, Jose Andre A Behavior Based Approach to Virus Detection |
description |
Fast spreading unknown viruses have caused major damage on computer systems upon their initial release. Current detection methods have lacked capabilities to detect unknown virus quickly enough to avoid mass spreading and damage. This dissertation has presented a behavior based approach to detecting known and unknown viruses based on their attempt to replicate. Replication is the qualifying fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. A form of replication called self-reference replication, (SR-replication), has been formalized as one main type of replication which specifically replicates by modifying or creating other files on a system to include the virus itself. This replication type was used to detect viruses attempting replication by referencing themselves which is a necessary step to successfully replicate files. The approach does not require a priori knowledge about known viruses. Detection was accomplished at runtime by monitoring currently executing processes attempting to replicate. Two implementation prototypes of the detection approach called SRRAT were created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services. The research results showed SR-replication capable of distinguishing between file infecting viruses and benign processes with little or no false positives and false negatives. |
author |
Morales, Jose Andre |
author_facet |
Morales, Jose Andre |
author_sort |
Morales, Jose Andre |
title |
A Behavior Based Approach to Virus Detection |
title_short |
A Behavior Based Approach to Virus Detection |
title_full |
A Behavior Based Approach to Virus Detection |
title_fullStr |
A Behavior Based Approach to Virus Detection |
title_full_unstemmed |
A Behavior Based Approach to Virus Detection |
title_sort |
behavior based approach to virus detection |
publisher |
FIU Digital Commons |
publishDate |
2008 |
url |
http://digitalcommons.fiu.edu/etd/41 http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1046&context=etd |
work_keys_str_mv |
AT moralesjoseandre abehaviorbasedapproachtovirusdetection AT moralesjoseandre behaviorbasedapproachtovirusdetection |
_version_ |
1718581368435245056 |