A Similarity based Technique for Detecting Malicious Executable files for Computer Forensics

2006 IEEE International Conference on Information Reuse & Integration Pub Date : 2006-12-04 DOI:10.1109/IRI.2006.252411

Jun-Hyung Park, Minsoo Kim, Bong-Nan Noh, J. Joshi

{"title":"A Similarity based Technique for Detecting Malicious Executable files for Computer Forensics","authors":"Jun-Hyung Park, Minsoo Kim, Bong-Nan Noh, J. Joshi","doi":"10.1109/IRI.2006.252411","DOIUrl":null,"url":null,"abstract":"With the rapidly increasing complexity of computer systems and the sophistication of hacking tools and techniques, there is a crucial need for computer forensic analysis techniques. Very few techniques exist to support forensic analysis of unknown executable files. The existing techniques primarily inspect executable files to detect known signatures or are based on metadata information. A key goal of such forensic investigation is to identify malicious executable files that hackers might have installed in a targeted system. Finding such malware in a compromised system is difficult because it is hard to identify the purpose of the fragments of executable files. In this paper, we present a similarity-based technique that analyzes targeted executable files to identify a malware present in a compromised system. The technique involves assigning a similarity value to the fragments of executable files present in a compromised hard disk against a set of source files. We present some results based on the comparison of assembly instruction sequences of well-known hacking tools with those of various executable files, and suggest various ways to reduce the false positives","PeriodicalId":402255,"journal":{"name":"2006 IEEE International Conference on Information Reuse & Integration","volume":"52 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 IEEE International Conference on Information Reuse & Integration","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IRI.2006.252411","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

With the rapidly increasing complexity of computer systems and the sophistication of hacking tools and techniques, there is a crucial need for computer forensic analysis techniques. Very few techniques exist to support forensic analysis of unknown executable files. The existing techniques primarily inspect executable files to detect known signatures or are based on metadata information. A key goal of such forensic investigation is to identify malicious executable files that hackers might have installed in a targeted system. Finding such malware in a compromised system is difficult because it is hard to identify the purpose of the fragments of executable files. In this paper, we present a similarity-based technique that analyzes targeted executable files to identify a malware present in a compromised system. The technique involves assigning a similarity value to the fragments of executable files present in a compromised hard disk against a set of source files. We present some results based on the comparison of assembly instruction sequences of well-known hacking tools with those of various executable files, and suggest various ways to reduce the false positives

查看原文本刊更多论文

基于相似性的计算机取证恶意可执行文件检测技术

随着计算机系统的复杂性和黑客工具和技术的日益复杂，对计算机取证分析技术的需求日益迫切。支持对未知可执行文件进行取证分析的技术很少。现有的技术主要检查可执行文件以检测已知签名或基于元数据信息。这种取证调查的一个关键目标是识别黑客可能在目标系统中安装的恶意可执行文件。在受损的系统中查找此类恶意软件是困难的，因为很难确定可执行文件片段的目的。在本文中，我们提出了一种基于相似性的技术，该技术可以分析目标可执行文件，以识别受损系统中存在的恶意软件。该技术涉及到针对一组源文件，为受损硬盘中存在的可执行文件片段分配相似值。通过对知名黑客工具的汇编指令序列与各种可执行文件的汇编指令序列的比较，给出了一些结果，并提出了各种减少误报的方法

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2006 IEEE International Conference on Information Reuse & Integration

自引率

0.00%

发文量