Design and development of a new scanning core engine for malware detection

Lee Ling Chuan, Chan Lee Yee, Mahamod Ismail, Kasmiran Jumari

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Malware is a man-made evil code, created for manipulative and destructive purpose. The increasing dependence on today's Internet and other communication network has caused a major malware threat to many computer users. The threat can infiltrate computers using a variety of methods, such as hidden functionality in regular programs, drive-by download from unsafe web sites, attack against known software vulnerabilities and more. In this paper, architecture of modern malware scanning engine is proposed and presented. A known packer detector and removal is proposed to build on top of the core engine. Prior begin malware scanning engine, the detection of known packer has to be performed. If any known packer is detected, a dedicated decryption routine will strip out the packer protection. Our malware detection core engine approach is based on the integration of static heuristic, emulator and disassembler. Static heuristic scanner detects malicious program via byte signature identification. It involves static extraction of an executable file and compares the destructive code with dedicated viral signatures. Emulator can execute the arbitrary code of an instance and trace the instance body's code inside the virtual environment. It can be used to combat any protection code, regardless of the complexity of the protection algorithm. Disassembler module will work simultaneously with emulator to analyze the execution code. Fragment of malicious code within the decrypted virus body could be detected via the execution. Through this study, we hope to help security researchers to understand our defense approach and give some directions for future research.

Original languageEnglish
Title of host publicationAPCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation"
Pages770-774
Number of pages5
DOIs
Publication statusPublished - 2012
Event18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation", APCC 2012 - Jeju Island
Duration: 15 Oct 201217 Oct 2012

Other

Other18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation", APCC 2012
CityJeju Island
Period15/10/1217/10/12

Fingerprint

Packers
Engines
Scanning
Viruses
Virtual reality
Telecommunication networks
Websites
Malware
Internet
Detectors

Keywords

  • disassembler
  • emulator
  • malware detection
  • Static heuristic

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Chuan, L. L., Yee, C. L., Ismail, M., & Jumari, K. (2012). Design and development of a new scanning core engine for malware detection. In APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation" (pp. 770-774). [6388212] https://doi.org/10.1109/APCC.2012.6388212

Design and development of a new scanning core engine for malware detection. / Chuan, Lee Ling; Yee, Chan Lee; Ismail, Mahamod; Jumari, Kasmiran.

APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation". 2012. p. 770-774 6388212.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chuan, LL, Yee, CL, Ismail, M & Jumari, K 2012, Design and development of a new scanning core engine for malware detection. in APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation"., 6388212, pp. 770-774, 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation", APCC 2012, Jeju Island, 15/10/12. https://doi.org/10.1109/APCC.2012.6388212
Chuan LL, Yee CL, Ismail M, Jumari K. Design and development of a new scanning core engine for malware detection. In APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation". 2012. p. 770-774. 6388212 https://doi.org/10.1109/APCC.2012.6388212
Chuan, Lee Ling ; Yee, Chan Lee ; Ismail, Mahamod ; Jumari, Kasmiran. / Design and development of a new scanning core engine for malware detection. APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation". 2012. pp. 770-774
@inproceedings{8000fb9a1dc949188e3e293a9850cba1,
title = "Design and development of a new scanning core engine for malware detection",
abstract = "Malware is a man-made evil code, created for manipulative and destructive purpose. The increasing dependence on today's Internet and other communication network has caused a major malware threat to many computer users. The threat can infiltrate computers using a variety of methods, such as hidden functionality in regular programs, drive-by download from unsafe web sites, attack against known software vulnerabilities and more. In this paper, architecture of modern malware scanning engine is proposed and presented. A known packer detector and removal is proposed to build on top of the core engine. Prior begin malware scanning engine, the detection of known packer has to be performed. If any known packer is detected, a dedicated decryption routine will strip out the packer protection. Our malware detection core engine approach is based on the integration of static heuristic, emulator and disassembler. Static heuristic scanner detects malicious program via byte signature identification. It involves static extraction of an executable file and compares the destructive code with dedicated viral signatures. Emulator can execute the arbitrary code of an instance and trace the instance body's code inside the virtual environment. It can be used to combat any protection code, regardless of the complexity of the protection algorithm. Disassembler module will work simultaneously with emulator to analyze the execution code. Fragment of malicious code within the decrypted virus body could be detected via the execution. Through this study, we hope to help security researchers to understand our defense approach and give some directions for future research.",
keywords = "disassembler, emulator, malware detection, Static heuristic",
author = "Chuan, {Lee Ling} and Yee, {Chan Lee} and Mahamod Ismail and Kasmiran Jumari",
year = "2012",
doi = "10.1109/APCC.2012.6388212",
language = "English",
pages = "770--774",
booktitle = "APCC 2012 - 18th Asia-Pacific Conference on Communications: {"}Green and Smart Communications for IT Innovation{"}",

}

TY - GEN

T1 - Design and development of a new scanning core engine for malware detection

AU - Chuan, Lee Ling

AU - Yee, Chan Lee

AU - Ismail, Mahamod

AU - Jumari, Kasmiran

PY - 2012

Y1 - 2012

N2 - Malware is a man-made evil code, created for manipulative and destructive purpose. The increasing dependence on today's Internet and other communication network has caused a major malware threat to many computer users. The threat can infiltrate computers using a variety of methods, such as hidden functionality in regular programs, drive-by download from unsafe web sites, attack against known software vulnerabilities and more. In this paper, architecture of modern malware scanning engine is proposed and presented. A known packer detector and removal is proposed to build on top of the core engine. Prior begin malware scanning engine, the detection of known packer has to be performed. If any known packer is detected, a dedicated decryption routine will strip out the packer protection. Our malware detection core engine approach is based on the integration of static heuristic, emulator and disassembler. Static heuristic scanner detects malicious program via byte signature identification. It involves static extraction of an executable file and compares the destructive code with dedicated viral signatures. Emulator can execute the arbitrary code of an instance and trace the instance body's code inside the virtual environment. It can be used to combat any protection code, regardless of the complexity of the protection algorithm. Disassembler module will work simultaneously with emulator to analyze the execution code. Fragment of malicious code within the decrypted virus body could be detected via the execution. Through this study, we hope to help security researchers to understand our defense approach and give some directions for future research.

AB - Malware is a man-made evil code, created for manipulative and destructive purpose. The increasing dependence on today's Internet and other communication network has caused a major malware threat to many computer users. The threat can infiltrate computers using a variety of methods, such as hidden functionality in regular programs, drive-by download from unsafe web sites, attack against known software vulnerabilities and more. In this paper, architecture of modern malware scanning engine is proposed and presented. A known packer detector and removal is proposed to build on top of the core engine. Prior begin malware scanning engine, the detection of known packer has to be performed. If any known packer is detected, a dedicated decryption routine will strip out the packer protection. Our malware detection core engine approach is based on the integration of static heuristic, emulator and disassembler. Static heuristic scanner detects malicious program via byte signature identification. It involves static extraction of an executable file and compares the destructive code with dedicated viral signatures. Emulator can execute the arbitrary code of an instance and trace the instance body's code inside the virtual environment. It can be used to combat any protection code, regardless of the complexity of the protection algorithm. Disassembler module will work simultaneously with emulator to analyze the execution code. Fragment of malicious code within the decrypted virus body could be detected via the execution. Through this study, we hope to help security researchers to understand our defense approach and give some directions for future research.

KW - disassembler

KW - emulator

KW - malware detection

KW - Static heuristic

UR - http://www.scopus.com/inward/record.url?scp=84872572192&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84872572192&partnerID=8YFLogxK

U2 - 10.1109/APCC.2012.6388212

DO - 10.1109/APCC.2012.6388212

M3 - Conference contribution

AN - SCOPUS:84872572192

SP - 770

EP - 774

BT - APCC 2012 - 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation"

ER -