Skip to main content

Proactive defense against malicious documents: formalization, implementation and case studies

Abstract

The current detection model used by modern antivirus software is based on the same basic principle. Any antivirus has to analyze the threat in order to protect the user afterwards. This implies to have first a few systems to be infected, then to perform a manual or partially automated analysis of the malware to finally update the malware databases. Quite no prevention model is considered to mitigate this inherent limitation of AV software. This issue becomes critical when considering office documents (Microsoft Office, Libre Office, PDF files\(\ldots \)) which become more and more vectors of targeted attacks and hence represent a major threat. The huge variability of documents makes the current detection model quite useless. To protect against the specific risks presented by these documents, we propose a new model of antiviral protection acting proactively and offering a strong prevention model. The document is transformed into an inactive file format to protect the user from any known or unknown threat. This module of proactive threat management has been implemented into the DAVFI project (French and International AntiVirus Demonstrator), funded by the French Strategic Digital Fund. Real and concrete cases of malicious office documents have been submitted to the analysis of this module as well as its transformation principles, demonstrating its effectiveness and accuracy.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Notes

  1. 1.

    \(\mathbb {F}_{2}\) = {0, 1} where 0 describes non-detection and 1 the successful detection. It is possible to generalize to \(\mathbb {F}_{3}\) = {0, 1, 2} where 2 would describes any “suspicious” or “doubtful” results. We could even consider the set \(\mathbb {F}_{q} = \{0, 1,\ldots , \mathrm{q} - 1\}\) similarly to define the suspicion level with a finer granularity.

References

  1. 1.

    Davfi Project. https://www.davfi.fr/

  2. 2.

    Opendavfi Project. https://www.opendavfi.org—The website will be active in 2016/Q1

  3. 3.

    Adleman, L.M.: An abstract theory of computer viruses. In: Advances in cryptology—CRYPTO’88, pp. 280–284 (1988)

  4. 4.

    Albertini, A.: Polyglottes binaires et implications. SSTIC, Rennes, https://www.sstic.org/2013/presentation/polyglottes_binaires_et_implications/ (2013)

  5. 5.

    Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of virus bulletin conference, Orlando (2000)

  6. 6.

    Cohen, F.: Computer viruses. PhD thesis, University of Southern California, Janvier (1986)

  7. 7.

    Debar, H., Filiol, E., Jacob, G.: Formalization of viruses and malware through process algebra. In: IEEE Fourth international workshop on advances in information security (IEEE-WAIS’2010), February 15–18th, Cracovia (2010)

  8. 8.

    Dechaux, J.: Formalization, Implementation and testing of a methodology and evaluation techniques of anti-virus software. PhD thesis, Ecole Polytechnique (2015)

  9. 9.

    Dullien, T., Porst, S.: REIL: a platform-independent intermediate representation of disassembled code for static code analysis. http://static.googleusercontent.com/media/www.zynamics.com/fr//downloads/csw09.pdf

  10. 10.

    Filiol, E.: Computer viruses: from theory to applications. IRIS Collection, Springer (2005)

  11. 11.

    Filiol, E.: Formalisation and implementation aspects of K-ary (malicious) codes. J. Comput. Virol. 3(3), 75–86 (2007)

    Article  Google Scholar 

  12. 12.

    Filiol, E., Josse, S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3(3), 65–74 (2007)

    Article  Google Scholar 

  13. 13.

    Filiol, E., Zaccardelle, A.: Magic lantern... reloaded/antiviral psychosis McAfee case. In: Proceedings of the 20th EICAR conference, Krems, pp. 143–164 (2011)

  14. 14.

    Golla, M.: Bercy victime d’une attaque informatique, l’Elysée visé. http://www.lefigaro.fr/conjoncture/2011/03/07/04016-20110307ARTFIG00333-bercy-cible-d-une-vaste-affaire-de-piratage.php

  15. 15.

    Jacob, G., Debar, H., Filiol, E.: Malware behavioural detection by attribute-automata using abstraction from platform and language. In: Proceedings of the 12th international symposium on recent advances in intrusion detection (RAID’09), pp. 81–100 (2009)

  16. 16.

    Leplongeon, M.: L’Élysée visé par deux importantes attaques informatiques. http://www.lepoint.fr/politique/l-elysee-objet-de-deux-importantes-attaques-informatiques-11-07-2012-1484274_20.php

  17. 17.

    Manach, J.-M.: Les dessous du piratage de bercy. http://owni.fr/2011/03/26/les-dessous-du-piratage-de-bercy-anssi/

  18. 18.

    Schneier, B.: Applied cryptography: protocols, algorithms, and source code In: C. John Wiley & Sons (1995)

  19. 19.

    Szor, P.: The art of computer virus research and defense. Addison-Wesley Professional (2005)

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Eric Filiol.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Dechaux, J., Filiol, E. Proactive defense against malicious documents: formalization, implementation and case studies. J Comput Virol Hack Tech 12, 191–202 (2016). https://doi.org/10.1007/s11416-015-0259-6

Download citation

Keywords

  • Boolean Function
  • Active Content
  • Magic Number
  • Office Document
  • Malicious Code