Researchers borrow DNA tricks to identify malware's genetic code

  • Tweet this


Few computer users will have failed to notice the proliferation of malware that threatens their systems. But while the malware writers have grown increasingly sophisticated in their attacks, our ability to fight them off still largely relies on defence strategies developed decades ago – namely signature-based antivirus tools, that learn how to spot tell-tale clues in malware's source code to detect the presence of malware.

Now a group of researchers in New Zealand have come up with a biology-inspired method for detecting 'genetic' characteristics of malware, enabling it to recognise new variants, even if a signature for it has yet to be built.

Ajit Narayanan and Yi Chen of the School of Computing & Mathematical Sciences, Auckland University of Technology, Auckland, New Zealand reasoned that data mining techniques might be used to improve antivirus defences, by being able to understand whether a particular program was likely to be benign or potentially malware.

“One of the problems in applying automatic data mining techniques to malware code directly, even if it is available, is the variable length of the code, since most data mining and other machine learning techniques assume fixed length sequences with a column representing measurements of the same variable across many samples,” they explain in their research paper.

To get round this problem, the researchers developed a technique to turn malware hexadecimal signatures into amino acid representations. They then used established protein modelling systems to analyse the malware.

They tested out the system with the signatures of 60 computer viruses and 60 worms. This showed the system can be used to create genetic fingerprints for the malware, with far greater accuracy than is currently possible. 

The researchers think it may ultimately allow them to build an algorithm that can analyse a program and work out whether it contains malware. The research was submitted to the ArXiv repository.

18 Feb 2013

What do you think?
blog comments powered by Disqus
To send to more than one email address, simply separate each address with a comma.