Information Technology Reference
In-Depth Information
Replication
Memory Mapping
Block
Code Injection
Block
File Access
Block
Pipe Enumeration
Block
Host Search
Block
Fig. 8. Final replication behavior structure of a virus with networking capabilities
6 Results
The experiments have shown that most blocks of the GSR , being described in a
generic form, do express the behavior of many well-known as well as yet
undetermined viruses. The detection mechanism, implemented as a finite-state
machine, allows for successful tracking and detection of such behavior. Table 8 below
shows detection system response to several viruses as well as some legitimate
processes expressing similar “viral” behavior from the replication point of view. Only
the most vital blocks of self-replication are shown.
Table 8. Detection system response to various malicious and legitimate processes
Host
Search
File
Access
Networkin
g
Memory
Injection/
infection
Replication
(total)
W32.Alicia
100 %
100 %
100 %
32.4 %
100 %
100 %
W32.Bogus
100 %
100 %
5.3 %
3.7 %
100 %
100 %
W32.Crash
100 %
100 %
0 %
100 %
100 %
100 %
W32.Neo
100 %
100 %
7.0 %
100 %
100 %
100 %
W32.Linda
100 %
100 %
4.3 %
100 %
100 %
100 %
W32.Stream
100 %
100 %
32.5 %
100 %
100 %
100 %
Svchost.exe
26.3 %
100 %
79.4 %
100 %
36.0 %
78.4 %
Explorer.exe
14.5 %
92.1 %
100 %
84.5 %
47.4 %
86.2 %
Acrobat.exe
75.0 %
89.0 %
53.5 %
100 %
87.1 %
89.8 %
Since the approach is generic in its nature, many legitimate applications may
trigger some of the Gene's building blocks. It can be seen from the table that some of
the blocks, being more generic, are detected at a rate very close or even equal to
100 % for non-malicious applications tested. A process “svchost”, for example,
indeed expressed behavior identical to a virus when working with system memory
objects. However, the host search routine has only been presented by partial detection
directory listing, therefore earning only 26 % of the entire host search behavior.
Search WWH ::




Custom Search