Information Technology Reference
In-Depth Information
Write” flag has to be set to “HIGH”. There are also several other important flags to be
set, such as File Attributes Flag “Normal” - specifies an attribute for a newly created
file to Normal, Share Access “Write” - specifies the limitations on sharing the file,
File Create Disposition flag defines what to do with the file in case it already exists,
etc.
Another important link parameter is the Object Handle. Files, as well as many
other resources, are considered to be an Object type by the operating system.
Therefore, every time a process creates a new object, it receives a unique access
handle, which facilitates fast access to this object within the process and by other
processes as well. The usage of this handle is obvious, since it is created by a system
call and it links to an object, any time another system call uses this handle, it is trying
to gain access to the object, and therefore, the given system calls are related. In the
case of Data Write Block, ZwCreateFile creates the handle upon completion of the
call execution. Later, this handle (Handle [File]) is used by another call, ZwWriteFile,
in order to write data into a file, represented by that handle.
Finally, when two system calls are properly linked together, the inputs of the first
system call become the inputs of the entire block, and likewise the block inherits the
outputs of the last system call. Then, the structure forms one solid block of the
pyramid with its own inputs and outputs, and is ready to be included as a unit into a
larger structure.
While defining connections between different blocks or system calls, it is
important to realize, that some of the larger blocks, created as a result of this
combination, are likely to serve legitimate purposes of any regular program. This is
expected, since computer viruses tend to employ the same kind of techniques for
accessing operating system infrastructure. However, regular computer programs
would never call these blocks in a particular order with particular input parameters. At
the same time, some blocks are very typical for computer viruses. These
considerations provide the basis for the
GSR
definition.
3.3 Detection Mechanism
Since the
GSR
structure is defined in terms of sub-patterns similar to the structure of a
sentence with its phrases, words and characters, the automata theory for text
recognition is applicable for
GSR
detection.
A finite-state machine
A
represents a quintuple
{
}
A
=
Σ
,
Q
,
δ
,
q
,
F
0
where,
Σ
- finite set of simple input blocks
Q
- finite set of states
δ
Σ
×
Q
Q
- mapping of
into
n
+
q
q
∈
Q
- the initial state, such that
0
F
F
⊆
Q
- set of final states, such that
According to [4], it is possible to define a finite-state automata
{}
{
}
{
}
A
=
V
,
V
∪
T
,
δ
,
S
,
F
T
(
A
)
=
L
(
G
)
G
=
V
,
V
,
P
,
S
with
, if
,
T
N
N
T
