Abstract
We present a method for detecting new malicious executables, which comprise the following steps: (a) in an offline training phase, finding a set of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; (b) in a real time detection phase, for each running executable, continuously monitoring its issued system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious. We have evaluated our method and the preliminary results are promising and justify the use of system calls sequences for the purpose of detection of new malicious executables
Highlights
Detection of malicious executables that are known beforehand is usually performed using signature-based techniques
The goal of this paper is to provide a technique which can detect new malicious executables, whose signatures are unknown yet
Our method comprises of the following steps: (a) in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; (b) in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious
Summary
Detection of malicious executables that are known beforehand is usually performed using signature-based techniques. These techniques typically rely on the prior explicit knowledge of the malicious executable code, which is in turn is represented by one or more signatures or rules that are stored in a database. The main disadvantage of these techniques is the inability to detect totally new, i.e., un-encountered malicious executables. The goal of this paper is to provide a technique which can detect new malicious executables, whose signatures are unknown yet. The main prior art approach for performing such a task is to employ machine learning and data mining for the purpose of creating a classifier that is able to distinguish between malicious and benign executables statically (without running them) [1,2,3]. The main drawback of the above approach is its inability to deal with obfuscated/encrypted files
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
