Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer security. Signature-based detection is the most widespread method used in commercial antivirus solutions. However, signature-based detection can detect malware only once the malicious executable has caused damage and has been conveniently registered and documented. Therefore, the signature-based method fails to detect obfuscated malware variants. In this paper, a new malware detection system is proposed based on information retrieval. For the representation of executables, the frequency of the appearance of opcode sequences is used. Through this architecture a malware detection system prototype is developed and evaluated in terms of performance, malware variant recall (false negative ratio) and false positives.
Publié le : 2013-03-22
Classification:  Malware detection, computer security, information retrieval, static analysis,  68-00, 68T30, 68U3
@article{cai1470,
     author = {Igor Santos; S3Lab, DeustoTech -- Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao and Xabier Ugarte-Pedrero; S3Lab, DeustoTech -- Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao and Felix Brezo; S3Lab, DeustoTech -- Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao and Pablo Garcia Bringas; S3Lab, DeustoTech -- Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao and Jos\'e Mar\'\i a G\'omez-Hidalgo; Optenet, Madrid},
     title = {NOA: An Information Retrieval Based Malware Detection System},
     journal = {Computing and Informatics},
     volume = {31},
     number = {6},
     year = {2013},
     language = {en},
     url = {http://dml.mathdoc.fr/item/cai1470}
}
Igor Santos; S3Lab, DeustoTech – Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao; Xabier Ugarte-Pedrero; S3Lab, DeustoTech – Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao; Felix Brezo; S3Lab, DeustoTech – Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao; Pablo Garcia Bringas; S3Lab, DeustoTech – Computing, Deusto Institute of Technology, University of Deusto, Avenida de las Universidades 24, Bilbao; José María Gómez-Hidalgo; Optenet, Madrid. NOA: An Information Retrieval Based Malware Detection System. Computing and Informatics, Tome 31 (2013) no. 6, . http://gdmltest.u-ga.fr/item/cai1470/