Proactive defense against malicious documents: formalization, implementation and case studies

  • Jonathan Dechaux
  • Eric FiliolEmail author
Original Paper


The current detection model used by modern antivirus software is based on the same basic principle. Any antivirus has to analyze the threat in order to protect the user afterwards. This implies to have first a few systems to be infected, then to perform a manual or partially automated analysis of the malware to finally update the malware databases. Quite no prevention model is considered to mitigate this inherent limitation of AV software. This issue becomes critical when considering office documents (Microsoft Office, Libre Office, PDF files\(\ldots \)) which become more and more vectors of targeted attacks and hence represent a major threat. The huge variability of documents makes the current detection model quite useless. To protect against the specific risks presented by these documents, we propose a new model of antiviral protection acting proactively and offering a strong prevention model. The document is transformed into an inactive file format to protect the user from any known or unknown threat. This module of proactive threat management has been implemented into the DAVFI project (French and International AntiVirus Demonstrator), funded by the French Strategic Digital Fund. Real and concrete cases of malicious office documents have been submitted to the analysis of this module as well as its transformation principles, demonstrating its effectiveness and accuracy.


Boolean Function Active Content Magic Number Office Document Malicious Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Davfi Project.
  2. 2.
    Opendavfi Project.—The website will be active in 2016/Q1
  3. 3.
    Adleman, L.M.: An abstract theory of computer viruses. In: Advances in cryptology—CRYPTO’88, pp. 280–284 (1988)Google Scholar
  4. 4.
    Albertini, A.: Polyglottes binaires et implications. SSTIC, Rennes, (2013)
  5. 5.
    Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of virus bulletin conference, Orlando (2000)Google Scholar
  6. 6.
    Cohen, F.: Computer viruses. PhD thesis, University of Southern California, Janvier (1986)Google Scholar
  7. 7.
    Debar, H., Filiol, E., Jacob, G.: Formalization of viruses and malware through process algebra. In: IEEE Fourth international workshop on advances in information security (IEEE-WAIS’2010), February 15–18th, Cracovia (2010)Google Scholar
  8. 8.
    Dechaux, J.: Formalization, Implementation and testing of a methodology and evaluation techniques of anti-virus software. PhD thesis, Ecole Polytechnique (2015)Google Scholar
  9. 9.
    Dullien, T., Porst, S.: REIL: a platform-independent intermediate representation of disassembled code for static code analysis.
  10. 10.
    Filiol, E.: Computer viruses: from theory to applications. IRIS Collection, Springer (2005)Google Scholar
  11. 11.
    Filiol, E.: Formalisation and implementation aspects of K-ary (malicious) codes. J. Comput. Virol. 3(3), 75–86 (2007)CrossRefGoogle Scholar
  12. 12.
    Filiol, E., Josse, S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3(3), 65–74 (2007)CrossRefGoogle Scholar
  13. 13.
    Filiol, E., Zaccardelle, A.: Magic lantern... reloaded/antiviral psychosis McAfee case. In: Proceedings of the 20th EICAR conference, Krems, pp. 143–164 (2011)Google Scholar
  14. 14.
  15. 15.
    Jacob, G., Debar, H., Filiol, E.: Malware behavioural detection by attribute-automata using abstraction from platform and language. In: Proceedings of the 12th international symposium on recent advances in intrusion detection (RAID’09), pp. 81–100 (2009)Google Scholar
  16. 16.
    Leplongeon, M.: L’Élysée visé par deux importantes attaques informatiques.
  17. 17.
    Manach, J.-M.: Les dessous du piratage de bercy.
  18. 18.
    Schneier, B.: Applied cryptography: protocols, algorithms, and source code In: C. John Wiley & Sons (1995)Google Scholar
  19. 19.
    Szor, P.: The art of computer virus research and defense. Addison-Wesley Professional (2005)Google Scholar

Copyright information

© Springer-Verlag France 2015

Authors and Affiliations

  1. 1.Operational Cryptology and Virology Laboratory, ESIEALavalFrance

Personalised recommendations