Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Machines To Analyze Malware

Posted by ryuzaki0 on from the bugs-under-glass dept.

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

3 of 55 comments (clear)

  1. Re:One-sentence summary by jacksonj04 · · Score: 3, Interesting

    Is it worth having a core just to do background tasks like this?

    Since multicore systems are starting to take off, perhaps there should be a method for applications to flag themselves as 'supporting', and then have a seperate lower power core dedicated to 'supporting' applications such as AV, system monitors etc?

    --
    How many people can read hex if only you and dead people can read hex?
  2. Re:Advantages? by happyemoticon · · Score: 2, Interesting

    Any mechanized approach to classifying malware is a good thing. I've heard anecdotally that the process of getting a program declared as a virus or malware is (or has been) as follows at major security firms:

    • Client gets infected with virus.
    • Client calls vendor when vendor's app refuses to clean it off.
    • Vendor's tech support gradually escalates the ticket until somebody with half a brain gets ahold of the problem.
    • Non-clueless support person dissects the malware and commits it to the week's definitions.

    Oh, and of course:

    • Client's data is screwed.

    Of course, this is purely anecdotal, and as someone who's never been employed at one of these firms I have no firsthand experience. But I suspect it's something like this, or at the very least something which requires a screaming client and a lot of human effort.

    Also, a common thing to do with malware is to change a few lines of code here and there until a matching engine can no longer recognize it and then send it out again over the net. It sounds like their technology has the possibility of dealing with this as well, if it can intelligently sort together related infections. However, the guy who gets a virus first is still probably screwed - but it's an imperfect world.

  3. The past is out future. by TeamSPAM · · Score: 2, Interesting

    Back in the days when Macs had viruses (yes they do exist or existed), I was using a program called Gatekeeper. Instead of knowing about certain virus it monitored system activity and alerted you when virus type activity was happening. You the user would either deny or grant the action.

    So given my experience with GateKeeper, the ideas of this malware detection seem obvious. Why did it take this long to apply these ideas to windows malware? Is the problem commerical anti-virus software? They prefer you to keep paying for updates, instead to shut down potential malware until they software knows about it?

    --
    Brought to you by Team SPAM! where we believe: "Information in the noise!"