Journal in Computer Virology

, Volume 2, Issue 3, pp 163–186 | Cite as

Non-signature based virus detection

Towards establishing a unknown virus detection technique using SOM
  • In Seon YooEmail author
  • Ulrich Ultes-Nitsche
Original Paper


A non-signature-based virus detection approach using Self-Organizing Maps (SOMs) is presented in this paper. Unlike classical virus detection techniques using virus signatures, this SOM-based approach can detect virus-infected files without any prior knowledge of virus signatures. Exploiting the fact that virus code is inserted into a complete file which was built using a certain compiler, an untrained SOM can be trained in one go with a single virus-infected file and will then present an area of high density data, identifying the virus code through SOM projection. The virus detection approach presented in this paper has been tested on 790 different virus-infected files, including polymorphic and encrypted viruses. It detects viruses without any prior knowledge – e.g. without knowledge of virus signatures or similar features – and is therefore assumed to be highly applicable to the detection of new, unknown viruses. This non-signature-based virus detection approach was capable of detecting 84% of the virus-infected files in the sample set which included, as already mentioned, polymorphic and encrypted viruses. The false positive rate was 30%. The combination of the classical virus detection technique for known viruses and this SOM-based technique for unknown viruses can help systems be even more secure.


Malicious Code Parasitic Virus Virus Signature Unknown Virus Codebook Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chantico: Combating computer crime: prevention, detection, investigation. McGraw-Hill, Inc, New YorkGoogle Scholar
  2. 2.
    Sophos: Top ten viruses and hoaxes reported to sophos in september 2005 (2005)Google Scholar
  3. 3.
    Yoo, I.: Visualizing windows executable viruses using self-organizing maps. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC-04) (2004)Google Scholar
  4. 4.
    Kohonen T. (1995) Self-organizing maps. Springer, Berlin Heidelberg New YorkGoogle Scholar
  5. 5.
    Haykin S. Neural networks: a comprehensive foundation, International Edition/2nd edn. Prentice Hall Englewood cliffs (1999)Google Scholar
  6. 6.
    Kohonen T. (1982) Self-organized formation of topologically correct feature maps. Biol. Cybern. 43: 59–69zbMATHMathSciNetCrossRefGoogle Scholar
  7. 7.
    Kohonen T. (1988) Self-organization and associative memory, 3rd edn. Springer, Berlin Heidelberg New YorkzbMATHGoogle Scholar
  8. 8.
    Hinton G., Sejnowski T.J. (1999) Unsupervised learning: foundations of neural computation. The MIT Press, CambridgeGoogle Scholar
  9. 9.
    Yoo, I., Ultes-Nitsche, U.: How to predict email viruses under uncertainty. In: Proceedings of the 23rd IEEE International Performance, Computing and Communications Conference, IPCCC 2004, Workshop of Information Assurance (WIA 04) (2004)Google Scholar
  10. 10.
    CERT: Cert/cc incident note in-99-03 cih/chernobyl virus. (1999)Google Scholar
  11. 11.
    Pfleeger C.P. (1997) Security in computing, International Edition, 2nd edn. Prentice-Hall International Inc., Englewood cliffsGoogle Scholar
  12. 12.
    Kaspersky, E.: Virus analysis texts – macro viruses. (2000)Google Scholar
  13. 13.
    Esa Alhoniemi, Johan Himberg, J.P., Vesanto, J.: Som toolbox 2.0, a software library for matlab. SOM Toolbox team, Laboratory of Computer and Information Science, Finland (2002)Google Scholar
  14. 14.
    MATHWORKS: The mathworks, inc. MATLAB (2003)Google Scholar
  15. 15.
    KASPERSKY: Windows viruses (1994–2005)Google Scholar

Copyright information

© Springer-Verlag France 2006

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of FribourgFribourgSwitzerland

Personalised recommendations