Architecture of malware detector for obfuscated code inspection

Lee Ling Chuan, Mahamod Ismail, Kasmiran Jumari, Chan Lee Yee

Research output: Contribution to journalArticle

Abstract

Signature-based malware detection is a very fundamental technique that detects malware by generating signatures. The detection however, is unable to detect obfuscated malware unless pre-generated signature is stored in the database. In this paper, we propose a combination of known packer detection, unpacking module, and heuristic scanning techniques to find and block a malicious program before it manages to be executed locally. Unpacking is the process of stripping packer layers and restoring the original contents. This module contains self-decryption script bodies that are devised to detect and extract the hidden-code bodies of obfuscated malware. Hence, the scanning process only deals with real malware body but not junk block or junk subroutine code. This paper also draws up the implementation and the evaluation of our virus scanning mechanisms. Finally, we present experimental results of our proposed techniques and the results show that our test set is highly accurate.

Original languageEnglish
Pages (from-to)59-69
Number of pages11
JournalJournal of Theoretical and Applied Information Technology
Volume49
Issue number1
Publication statusPublished - 2013

Fingerprint

Malware
Inspection
Detector
Detectors
Scanning
Packers
Signature
Module
Subroutines
Test Set
Viruses
Virus
Architecture
Heuristics
Evaluation
Experimental Results

Keywords

  • Disassembler
  • Emulator
  • Malware detector
  • Obfuscated
  • Unpacking

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Architecture of malware detector for obfuscated code inspection. / Chuan, Lee Ling; Ismail, Mahamod; Jumari, Kasmiran; Yee, Chan Lee.

In: Journal of Theoretical and Applied Information Technology, Vol. 49, No. 1, 2013, p. 59-69.

Research output: Contribution to journalArticle

Chuan, Lee Ling ; Ismail, Mahamod ; Jumari, Kasmiran ; Yee, Chan Lee. / Architecture of malware detector for obfuscated code inspection. In: Journal of Theoretical and Applied Information Technology. 2013 ; Vol. 49, No. 1. pp. 59-69.
@article{5f61d52cf714477eb19d3b3a7dbe140a,
title = "Architecture of malware detector for obfuscated code inspection",
abstract = "Signature-based malware detection is a very fundamental technique that detects malware by generating signatures. The detection however, is unable to detect obfuscated malware unless pre-generated signature is stored in the database. In this paper, we propose a combination of known packer detection, unpacking module, and heuristic scanning techniques to find and block a malicious program before it manages to be executed locally. Unpacking is the process of stripping packer layers and restoring the original contents. This module contains self-decryption script bodies that are devised to detect and extract the hidden-code bodies of obfuscated malware. Hence, the scanning process only deals with real malware body but not junk block or junk subroutine code. This paper also draws up the implementation and the evaluation of our virus scanning mechanisms. Finally, we present experimental results of our proposed techniques and the results show that our test set is highly accurate.",
keywords = "Disassembler, Emulator, Malware detector, Obfuscated, Unpacking",
author = "Chuan, {Lee Ling} and Mahamod Ismail and Kasmiran Jumari and Yee, {Chan Lee}",
year = "2013",
language = "English",
volume = "49",
pages = "59--69",
journal = "Journal of Theoretical and Applied Information Technology",
issn = "1992-8645",
publisher = "Asian Research Publishing Network (ARPN)",
number = "1",

}

TY - JOUR

T1 - Architecture of malware detector for obfuscated code inspection

AU - Chuan, Lee Ling

AU - Ismail, Mahamod

AU - Jumari, Kasmiran

AU - Yee, Chan Lee

PY - 2013

Y1 - 2013

N2 - Signature-based malware detection is a very fundamental technique that detects malware by generating signatures. The detection however, is unable to detect obfuscated malware unless pre-generated signature is stored in the database. In this paper, we propose a combination of known packer detection, unpacking module, and heuristic scanning techniques to find and block a malicious program before it manages to be executed locally. Unpacking is the process of stripping packer layers and restoring the original contents. This module contains self-decryption script bodies that are devised to detect and extract the hidden-code bodies of obfuscated malware. Hence, the scanning process only deals with real malware body but not junk block or junk subroutine code. This paper also draws up the implementation and the evaluation of our virus scanning mechanisms. Finally, we present experimental results of our proposed techniques and the results show that our test set is highly accurate.

AB - Signature-based malware detection is a very fundamental technique that detects malware by generating signatures. The detection however, is unable to detect obfuscated malware unless pre-generated signature is stored in the database. In this paper, we propose a combination of known packer detection, unpacking module, and heuristic scanning techniques to find and block a malicious program before it manages to be executed locally. Unpacking is the process of stripping packer layers and restoring the original contents. This module contains self-decryption script bodies that are devised to detect and extract the hidden-code bodies of obfuscated malware. Hence, the scanning process only deals with real malware body but not junk block or junk subroutine code. This paper also draws up the implementation and the evaluation of our virus scanning mechanisms. Finally, we present experimental results of our proposed techniques and the results show that our test set is highly accurate.

KW - Disassembler

KW - Emulator

KW - Malware detector

KW - Obfuscated

KW - Unpacking

UR - http://www.scopus.com/inward/record.url?scp=84876068710&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84876068710&partnerID=8YFLogxK

M3 - Article

VL - 49

SP - 59

EP - 69

JO - Journal of Theoretical and Applied Information Technology

JF - Journal of Theoretical and Applied Information Technology

SN - 1992-8645

IS - 1

ER -