Information Technology Reference
In-Depth Information
newly detected Lower Block. When new Upper Block is finally formed, the history is
updated and the algorithm repeats itself, but with regards to this newly created block.
At every repetition, the detection is taking place at a higher level, as though climbing
up the pyramidal structure.
4 Experiments
The concept of
GSR
definition explained earlier requires building a pyramidal
structure with basic system calls at the bottom, combinations of calls represented by
Blocks in the middle, and the
GSR
itself at the top. While usually replication is not a
very complicated process, it may involve a number of steps, and among them the
system calls dominate greatly. Therefore, the complexity of
GSR
definition depends
on several facts:
−
The number of unique system calls involved.
−
The number of inter-functional relations among system calls.
−
The complexity of inter-functional relations.
Table 2.
Replication schemes for major types of computer viruses
Replication Type
Details
Replication Scheme
Overwriting
Virus overwrites an
existing executable by
replacing its content
with the body of the
virus
1.
Read “Virus.exe”
2.
Open “Host.exe”
3.
Write “Virus.exe”
into “Host.exe”
4.
Close “Host.exe”
Companion
Virus renames an
existing executable and
replaces the original
with itself
1.
Read “Host.exe”
name
2.
Rename
“Host.exe” into
“Host.ex”
3.
Rename
“Virus.exe” into
“Host.exe”
Parasitic
Virus attaches itself
to an existing file by
injecting its code into
the body of the
executable and replacing
code entry points
1.
Open “Virus.exe”
2.
Read “Virus.exe”
Code
3.
Open “Host.exe”
4.
Inject Code into
“Host.exe”
5.
Patch “Host.exe”
Entry point
Since the margin between malicious and normal behavior can be small, it is important
to keep the complexity of the
GSR
at the high level whenever possible in order to
avoid misdetections. On the other hand, some flexibility when connecting blocks of
the
GSR
is needed as well; otherwise the approach becomes less generic.
