 |
 |
 |
 |
 |
 |
|
| |
|
|
| |
| Abstract |
| |
|
Paper
Title
|
Malware
Detection with Dynamic Blacklisting
|
|
Author(s)
|
Dmitry Gryaznov (USA), Sr. Research Architect, McAfee Avert
Labs.
|
|
Time
|
12 December, Friday, 13:25 - 14:05.
|
|
|
|
|
Today over
20,000 of new malware samples are appearing every day.
This flood of new
malware simply cannot be processed by human analysts.
Some kind of automated
processing, classification and adding at least detection
if not repair is necessary. At the
same time the majority of modern malware is static ?
that is, a particular piece of
malware does not change over time, stays binary the
same. This eliminates the need for
reverse engineering and detailed analysis in search of
suitable byte sequences to detect -
such malware files can be detected with a secure hash
like MD5, SHA-1, etc. Thus the
"malware signature database" becomes a database of
secure hashes - the "black list".
This still leaves the problem of determining whether a
particular sample is indeed
malware or not. And with many thousands of new pieces of
malware appearing every
day, updates to our "black list" have to be automatic,
very frequent, and delivered to the
end user ideally within minutes or even seconds of any
new malware added to the "black
list".
The paper presents several automated ways of classifying
samples as malware and adding
them to the "black list". A fast, almost real time,
update delivery mechanism is presented
as well. Advantages and drawbacks of detecting malware
with such a black list are
discussed. And a warning to comparative reviewers is
given. |
| |
|
| |
|
