Abstract
Behavioural analysis for detection of malware has recently emerged as a new promising set of antiviral techniques: function-based detection is now considered along with sequence-based detection. Most of the antivirus publishers now claim to use behavioral analysis as a marketing argument. But the real impact of these “new” techniques seems to be mitigated since no real progress in the general antiviral fight has been noticed nowadays. This paper presents an evaluation methodology of the real capabilities of antivirus software with respect to the behavioral analysis. It is shown that contrary to the claims of some publishers, behavioural analysis is still very marginally used and implemented. These techniques are quite always either validated by or dependant on classical form-based detection methods (detection pattern as an example). In this context, we propose a generalised, theoretical detection model which considers at the same time both form-based and function-based detection and give some essential properties this model should exibhit to achieve a real behavioural-based detection.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Beauchamp, K.G.: Applications of Walsh and Related Functions. In: Microelectronics and Signal Processing Series. Academic Press, ISBN 0-12-084180-0 (1984)
Chakrabarty, K., Hayes, J.P.: Balanced Boolean functions. IEE Proc. Comput. Digit. Tech. 145(1) (1998)
Cohen, F.: Computer viruses. Ph.D. Thesis, University of Southern California, Janvier 1986
http://www.trendmicro.com/vinfo/virusencyclo/defaults.asp? VName=WORM_MYDOOM.A
Filiol, E.: Designs, intersecting families and weight of Boolean functions. In: Proceedings of the 7th IMA Conference on Cryptography and Coding. Lecture Notes in Computer Science vol. 1746. Springer Berlin Heidelberg New York (1999)
Filiol, E.: “Le ver MyDoom”. J. Sécurité Informat. MISC 13 (2004)
Filiol, E.: Malware pattern scanning schemes secure against black-box analysis. J. Comput. Virol. 2(1) (2006)
Filiol, E., Jacob, G., Le Liard, M.: Evaluation methodology of function-based malware detection. In: Proceedings of the First Workshop in Theoretical Computer Virology, Bonfante, G., Marion, J.- Y. (eds.) Nancy, May 2006
Jacob, G., Le Liard, M.: Evaluation des méthodes de détection comportementale des virus. Rapport de projet Mastère SSI, Laboratoire de virologie et de cryptologie et Supélec Bretagne (2006)
Josse, S.: How to measure the effectiveness of an antivirus. J. Comput. Virol. 2(1) (2006)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, ISBN 0-8493-8523-7 (1997)
Morin, B.: Intrusion detection vs virology. In: Proceedings of the First Workshop in Theoretical Computer Virology, , G., Marion, J.-Y. (eds.) Nancy, May 2006
Rothaus O.S. (1976) On bent functions. J. Combin. Theory 20, 300–305
Sperner E. (1928) Ein Satz über Untermengen einer endlichen Menge. Math. Z. 27, 544–548
Xiao G.-Z., Massey J.L. (1988) A spectral characterization of correlation-immune combining functions. Trans. Inform. Theory IT-34(3): 569–571
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is the extended version of the paper presented at WTCV’06 (Workshop in Theoretical Computer Virology) in Nancy, France, May 2006.
Rights and permissions
About this article
Cite this article
Filiol, E., Jacob, G. & Liard, M.L. Evaluation methodology and theoretical model for antiviral behavioural detection strategies. J Comput Virol 3, 23–37 (2007). https://doi.org/10.1007/s11416-006-0026-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0026-9