artificial intelligence in virus detection & recognition
TRANSCRIPT
![Page 1: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/1.jpg)
ARTIFICIAL INTELLIGENCE METHODS INVIRUS DETECTION & RECOGNITION
INTRODUCTION TO HEURISTIC SCANNING
AHMAD AL I . A09409002
S7 CSE
![Page 2: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/2.jpg)
PRESENTATION OUTLINE
IntroductionFundamentals of malware
Metaheuristics in Virus Detection & Recognition
Heuristic scanning theoryLacks in specific detection
Heuristic scanning conception
Recognizing potential threat
Coping with anti-heuristic mechanisms
Towards accuracy improvement
Summary
![Page 3: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/3.jpg)
MALWARE
Malware (malicious software) is a software designed to infiltrate or damage a computer system without the owner's informed consent.
![Page 4: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/4.jpg)
MALWARE TYPES
It is important to be aware that nevertheless all of them have similar purpose, each one behave differently.
VirusesWormsWabbitsTrojan horsesExploits/BackdoorsRootkitsKey loggers/DialersHoaxes
![Page 5: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/5.jpg)
INFECTION STRATEGIES
Nonresident viruses: The simplest form of viruses which don't stay in memory, but infect founded executable file and search for another to replicate.
Resident viruses: More complex and efficient type of viruses which stay in memory and hide their presence from other processes.
Fast infectors: Type which is designed to infect as many files as possible.
Slow infectors: Using stealth and encryption techniques to stay undetected outlast.
![Page 6: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/6.jpg)
MetaheuristicMetaheuristic is a heuristic method which combines user-given black-box procedures in a hopefully efficient way. Metaheuristics are generally applied to problems for which there is no satisfactory problem-specific algorithm or heuristic.
HeuristicHeuristic is a method to solve a problem, commonly an informal method. It is particularly used to rapidly come to a solution that is reasonably close to the best possible
answer, or 'optimal solution'...
![Page 7: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/7.jpg)
GENERAL METAHEURISTICS
Pattern matching
Automatic learning
Environment emulation
Neural networks
Data mining
Bayes networks
Hidden Markov models
and other...
List below shows main metaheuristics used for virus detection and recognition:
![Page 8: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/8.jpg)
LACKS IN SPECIFIC DETECTION
The number of viruses increases rapidly.
The number of virus mutants increases.
The development of polymorphic viruses.
Viruses directed at a specific organization or company.
There are two basic methods to detect viruses - specific and generic.
Why is generic detection gaining importance? There are four reasons:
![Page 9: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/9.jpg)
BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2
Specific detection methods like signature scanning became very efficient ways of detecting known threats.
Finding specific signature in code allows scanner to recognize every virus which signature has been stored in built-in database.
FireFly virus signature(hexadecimal)
![Page 10: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/10.jpg)
BB ?2 B9 10 01 81 37 ?2 81 A1 D3 ?2 01 C3 04 E2 F2
Problem occurs when virus source is changed by a programmer or mutation engine.
Signature is being malformed due to even minor changes.
Virus may behave in an exactly same way but is undetectable due to new, unique signature.
Malformed signature(hexadecimal)
![Page 11: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/11.jpg)
HEURISTIC SCANNING CONCEPTION
Q: How to recognize a virus without any knowledge about its internal structure?
A: By examining its behavior and characteristics.
![Page 12: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/12.jpg)
FIGURE: VIRUS EVOLUTION CHAIN
![Page 13: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/13.jpg)
Heuristic scanning in its basic form is implementation of three metaheuristics:
Pattern matching Automatic learning Environment emulation
Of course modern solutions provide more functionalities but principle stays the same.
![Page 14: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/14.jpg)
The basic idea of heuristic scanning is to examine assembly language instruction sequences(step-by-step)
If there are sequences behaving suspiciously, program can be qualified as a virus.
![Page 15: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/15.jpg)
RECOGNIZING POTENTIAL THREAT
Singular suspicion is never a reason to trigger the alarm.
But if the same program also tries to stay resident and contains routine to search for executables, it is highly probable that it's a real virus.
![Page 16: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/16.jpg)
HEURISTIC SCANNING AS ARTIFICIAL NEURON
Figure: Single-layer classifier with threshold
![Page 17: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/17.jpg)
MALWARE EVOLVES
Viruses started to use various stealth techniques.
This allowed them to be invisible for traditional
scanner.
Moreover, most of them started using real-time
encryption.
![Page 18: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/18.jpg)
Pattern matching is not enough
Why not to create artificial runtime environment to let the virus do its job?
Such approach found implementation in environment emulation engines, which became standard AV software weapon.
![Page 19: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/19.jpg)
VIRTUAL REALITY
Anti-virus program provides a virtual machine with independent operating system and allows virus to perform its routines.
Behavior and characteristics are being continuously examined, while virus is not aware that is working on a fake system.
This leads to decryption routines and revealment of its true nature. Also stealth techniques are useless because whole VM is monitored by AV software.
![Page 20: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/20.jpg)
FALSE POSITIVES & AUTOMATIC LEARNING
HS will blame innocent programs for being potential threats. Such behavior is called false positive.
We must be aware that program is right when rising alarm, because scanned app posses suspicious sequences, we can't blame scanner for failure.
![Page 21: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/21.jpg)
Q: So what can be done to avoid false positives?
A: Automatic learning!
![Page 22: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/22.jpg)
AVOIDING FALSE POSITIVES & IMPROVING ACCURACY
Assume that machine is not infected.
Combine scanning techniques
Definition of (combinations of) suspicious abilities.
Recognition of common program codes
Recognition of specific programs
![Page 23: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/23.jpg)
WHAT CAN BE EXPECTED FROM IT IN THE FUTURE?
The Development Continues
Most anti-virus developers still do not supply a
ready-to-use heuristic analyzer.
Those who have heuristics already available are still
improving it.
![Page 24: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/24.jpg)
SUMMARY
Basically HS is inherited from combination of pattern matching, automatic learning and environment emulation metaheuristics. As a heuristic method it's not 100% effective. So why do we apply HS?
ProsCan detect 'future' threatsUser is less dependent on product updateImproves conventional scanning results
ConsFalse positivesMaking decision after alarm requires knowledge
![Page 25: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/25.jpg)
REFERENCES
Data mining methods for detection of new
malicious executable-MATHEW.G CHU LTZ
Heuristics scanner for Artificial Intelligence-
RIGHARD ZWIENEN DERG
Heuristics Antivirus technology-
FRANSVELDSMAN
![Page 26: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/26.jpg)
Why?...
Questions ?
What if?...
![Page 27: Artificial Intelligence in Virus Detection & Recognition](https://reader034.vdocuments.us/reader034/viewer/2022050921/55500ce6b4c90535638b47d0/html5/thumbnails/27.jpg)
THANK YOU