A technique for detecting malicious documents based on calculation of vector spaces

doi:10.7523/j.issn.2095-6134.2010.2.019

›› 2010, Vol. 27 ›› Issue (2): 267-274.DOI: 10.7523/j.issn.2095-6134.2010.2.019

• Research Articles • Previous Articles Next Articles

A technique for detecting malicious documents based on calculation of vector spaces

LI Wei¹, SU Pu-Rui², SHI Yun-Feng³

1. Graduate University of the Chinese Academy of Sciences,Beijing 100049,China;
2. Institute of Software, Chinese Academy of Sciences,Beijing 100190,China;
3. Department of Computer Science and Technology, Tsinghua University,Beijing 100084,China

Received:2009-08-04 Revised:2009-12-01 Online:2010-03-15

Abstract

Abstract:

Through a comprehensive analysis of the attack way, composition structure, and attack code of malicious documents, we present a detecting method based on the mathematical statistics and vector computation, and make targeted improvements for a typical deformation means. We tested 119 documents using this algorithm, and the results show that, compared with conventional detection software, this algorithm detects a malicious document with low fail-to-report rate and low false alarm rate.

Key words: malicious file, mathematical statistics, vector space

CLC Number:

TP309.5

LI Wei, SU Pu-Rui, SHI Yun-Feng. A technique for detecting malicious documents based on calculation of vector spaces[J]. , 2010, 27(2): 267-274.

References

[1] Kumar S, Spafford E H. A generic virus scanner in c+ + //Proceedings of the 8th Computer Security Applications Conference, 1992:210-219.

[2] Sulaiman A, Ramamoorthy K, Mukkamala S,et al. Malware examiner using disassembled code(MEDiC) . Systems, Man and Cybernetics (SMC) Information Assurance Workshop,2005.

[3] Kanzaki Y, Monden A, Nakamura M, et al. Exploiting self-modification mechanism for program protection //Proc of the 27th Annual International Computer Software and Applications Conference, 2003:170-181.

[4] Bertrand A, Matias M, Koen D B. A model for self-modifying code //The 8th Information Hiding Conference. Berlin Heidelberg,2007:232-248.

[5] Cmelik B,Keppel D. Shade: A fast instruction-set simulator for execution profiling //Proceedings of the 1994 ACM SIGMETRICS Conference on Measurement and Modeling of Computer Systems. Nashville, Tennessee, United States,1994:128-137.

[6] Thomas E D. Metamorphism as a software protection for non-malicious Code
[J]. Air Force Inst Technology, 2006:8-11.

[7] Christodorescu M, Kinder J, Jha S,et al.Malware normalization .University of Wisconsin, Madison, USA,2005.

[8] Sekar R, Bendre M, Bollineni P,et al. A fast automaton-based approach for detecting anomalous program behaviors //IEEE Symposium on Security and Privacy. 2001:144.

[9] Hofmeyr S, Forrest S, Somayaji A. Intrusion detection using sequences of system calls
[J]. Journal of Computer Security, 1998:151-180.

[10] Wespi A,Dacier M, Debar H. Intrusion detection using variable-length audit trail patterns
[J].LNCS 1907, 2000:110-129.

[11] Wang Y M,Beck D, Vo B, et al. Detecting stealth software with strider ghostbuster //Proceedings of the 2005 International Conference on Dependable Systems and Networks. 2005:368-377.

[12] Forrest S, Perelson A S, Allen L, et al. Self-nonself discrimination //Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy. 1994:202.

[13] Schechter S E, Jung J, Berger A W. Fast detection of scanning worms infections //Proceedings of Seventh International Symposium on Recent Advances in Intrusion Detection(RAID).French Riviera,France, 2004.

A technique for detecting malicious documents based on calculation of vector spaces

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 1

Recommended Articles

Metrics

Comments