Traditional signature-based malware detectors identify malware by scanning untrusted binaries for distinguishing byte sequences or features. Features unique to malware are maintained in a signature database, which must be continually updated as new malware is discovered and analyzed. Signature-based malware detection generally enforces a static approximation of some desired dynamic (i.e., behavioral) security policy.
For example, access control policies, such as those that prohibit code injections into operating system executables, are statically undecidable and can therefore only be approximated by any purely static decision procedure such as signature-matching.
A signature-based malware-detector approximates these policies by identifying syntactic features that tend to appear only in binaries that exhibit policy-violating behavior when executed.
This approximation is both unsound and incomplete in that it is susceptible to both false positive and false negative classifications of some binaries.
For this reason signature databases are typically kept confidential,since they contain information that an attacker could use to craft malware that he detector would mis-classify as benign, defeating the protection system. The effectiveness of signature-based malware detection thus depends on both the comprehensiveness and confidentiality of the signature database.
File Type: PDF
File Size: 166 KB
Total Pages: 18
Direct Link Mega:
Direct Link AnonFiles:
Direct Link Mediafire:
Direct Link Solidfiles:
Direct Link Sabercathost:
Direct Link Tusfiles: