Abstract
The current detection model used by modern antivirus software is based on the same basic principle. Any antivirus has to analyze the threat in order to protect the user afterwards. This implies to have first a few systems to be infected, then to perform a manual or partially automated analysis of the malware to finally update the malware databases. Quite no prevention model is considered to mitigate this inherent limitation of AV software. This issue becomes critical when considering office documents (Microsoft Office, Libre Office, PDF files\(\ldots \)) which become more and more vectors of targeted attacks and hence represent a major threat. The huge variability of documents makes the current detection model quite useless. To protect against the specific risks presented by these documents, we propose a new model of antiviral protection acting proactively and offering a strong prevention model. The document is transformed into an inactive file format to protect the user from any known or unknown threat. This module of proactive threat management has been implemented into the DAVFI project (French and International AntiVirus Demonstrator), funded by the French Strategic Digital Fund. Real and concrete cases of malicious office documents have been submitted to the analysis of this module as well as its transformation principles, demonstrating its effectiveness and accuracy.
Similar content being viewed by others
Notes
\(\mathbb {F}_{2}\) = {0, 1} where 0 describes non-detection and 1 the successful detection. It is possible to generalize to \(\mathbb {F}_{3}\) = {0, 1, 2} where 2 would describes any “suspicious” or “doubtful” results. We could even consider the set \(\mathbb {F}_{q} = \{0, 1,\ldots , \mathrm{q} - 1\}\) similarly to define the suspicion level with a finer granularity.
References
Davfi Project. https://www.davfi.fr/
Opendavfi Project. https://www.opendavfi.org—The website will be active in 2016/Q1
Adleman, L.M.: An abstract theory of computer viruses. In: Advances in cryptology—CRYPTO’88, pp. 280–284 (1988)
Albertini, A.: Polyglottes binaires et implications. SSTIC, Rennes, https://www.sstic.org/2013/presentation/polyglottes_binaires_et_implications/ (2013)
Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of virus bulletin conference, Orlando (2000)
Cohen, F.: Computer viruses. PhD thesis, University of Southern California, Janvier (1986)
Debar, H., Filiol, E., Jacob, G.: Formalization of viruses and malware through process algebra. In: IEEE Fourth international workshop on advances in information security (IEEE-WAIS’2010), February 15–18th, Cracovia (2010)
Dechaux, J.: Formalization, Implementation and testing of a methodology and evaluation techniques of anti-virus software. PhD thesis, Ecole Polytechnique (2015)
Dullien, T., Porst, S.: REIL: a platform-independent intermediate representation of disassembled code for static code analysis. http://static.googleusercontent.com/media/www.zynamics.com/fr//downloads/csw09.pdf
Filiol, E.: Computer viruses: from theory to applications. IRIS Collection, Springer (2005)
Filiol, E.: Formalisation and implementation aspects of K-ary (malicious) codes. J. Comput. Virol. 3(3), 75–86 (2007)
Filiol, E., Josse, S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3(3), 65–74 (2007)
Filiol, E., Zaccardelle, A.: Magic lantern... reloaded/antiviral psychosis McAfee case. In: Proceedings of the 20th EICAR conference, Krems, pp. 143–164 (2011)
Golla, M.: Bercy victime d’une attaque informatique, l’Elysée visé. http://www.lefigaro.fr/conjoncture/2011/03/07/04016-20110307ARTFIG00333-bercy-cible-d-une-vaste-affaire-de-piratage.php
Jacob, G., Debar, H., Filiol, E.: Malware behavioural detection by attribute-automata using abstraction from platform and language. In: Proceedings of the 12th international symposium on recent advances in intrusion detection (RAID’09), pp. 81–100 (2009)
Leplongeon, M.: L’Élysée visé par deux importantes attaques informatiques. http://www.lepoint.fr/politique/l-elysee-objet-de-deux-importantes-attaques-informatiques-11-07-2012-1484274_20.php
Manach, J.-M.: Les dessous du piratage de bercy. http://owni.fr/2011/03/26/les-dessous-du-piratage-de-bercy-anssi/
Schneier, B.: Applied cryptography: protocols, algorithms, and source code In: C. John Wiley & Sons (1995)
Szor, P.: The art of computer virus research and defense. Addison-Wesley Professional (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dechaux, J., Filiol, E. Proactive defense against malicious documents: formalization, implementation and case studies. J Comput Virol Hack Tech 12, 191–202 (2016). https://doi.org/10.1007/s11416-015-0259-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-015-0259-6