Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2002.9C.5.765

Detection of Unknown Malicious Scripts Using Static Analysis  

Lee, Seong-Uck (아주대학교 대학원 컴퓨터공학과)
Bae, Byung-Woo ((주)트라이튼테크 연구원)
Lee, Hyong-Joon (아주대학교 정보통신전문대학원)
Cho, Eun-Sun (충북대학교 전기전자 및 컴퓨터학부)
Hong, Man-Pyo (아주대학교 정보 및 컴퓨터공학부)
Publication Information
The KIPS Transactions:PartC / v.9C, no.5, 2002 , pp. 765-774 More about this Journal
Abstract
Analyzing the code using static heuristics is a widely used technique for detecting unknown malicious codes. It decides the maliciousness of a code by searching for some fragments that had been frequently found in known malicious codes. However, in script codes, it tries to search for sequences of method calls, not code fragments, because finding such fragments is much difficult. This technique makes many false alarms because such method calls can be also used in normal scripts. Thus, static heuristics for scripts are used only to detect malicious behavior consisting of specific method calls which is seldom used in normal scripts. In this paper. we suggest a static analysis that can detect malicious behavior more accurately, by concerning not only the method calls but also parameters and return values. The result of experiments show that malicious behaviors, which were difficult to detect by previous works, due to high false positive, will be detected by our method.
Keywords
malicious script; malicious code; computer virus; static analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Alex Shipp, 'Heuristic Detection of Viruses within Email,' virus bulletin conference, 2001
2 Francisco Femandez, 'Heuristic Engines,' 11th International Virus Bulletin Conference, 2001
3 CERTCC-KR, '2000년 5월 바이러스 통계', http://www.certcc.or.kr/statistics/virus/virus-200005.html, 2000
4 Igor Muttik, 'Stripping down an AV Engine,' Virus Bulletin Conference, 2000
5 Gabor Szappanos, 'VBA Emulator Engine Design,' Virus Bulletin Conference, 2001
6 Vesselin Bontchev, 'Macro Virus Identification Problems,' 7th International Virus Bulletin Conference, 1997   DOI   ScienceOn
7 Sandeep Kumar, Eugene H. Spafford, 'A Generic Virus Scanner in C++,' Purdue University Technical Report CSD-TR-92-062, 1992
8 Eugene H. Spafford, 'Computer Viruses as Artificial Life,' Journal of Artificial Life, MIT Press, 1994
9 Baudouim Le Charler, Morton Swimmer, Abdelaziz Mounji, 'Dynamic detection and classification of computer viruses using general behaviour patterns,' Fifth International Virus Bulletin Conference, Boston, pp.20-22, September, 1995
10 Mark Kennedy, 'Script-Based Mobile Threats,' Symantec White Paper, 2000
11 Gene H. Kim, Eugene H. Spafford, 'The Design and Implementation of Tripwire : A File System Integrity Checker,' ACM Conference on Computer and Communications Security, 1994   DOI
12 Symantec AntiVirus Research Center, 'Understanding Heuristic,' Symantec White Paper, 1998
13 Tim Hollebeek and Dur Berrier,' Interception, Wrapping and Analysis Framework for Win32 Scripts,' Cigital Labs   DOI
14 The WildList Organization International, 'PC Viruses In-the-Wild-February, 2002,' http://www.wildlist.org/WildList/200202.htm, 2002