Gatekeeper II: new approaches to generic virus prevention

Richard Ford Florida Institute of Technology
Matt Wagner Microsoft Corporation
Jason Michalske Florida Institute of Technology

The need for reliable detection of rapidly spreading worms has never been higher; viruses like SQL/Slammer have proven that an epidemic can occur far faster than we can react using existing technology. Thus, there has been significant interest in developing fast and reliable techniques for detecting previously unseen malicious code.

In this paper, we extend the work carried out under the Gatekeeper project, a behavioural virus detection engine with undo capability. New techniques to provide for higher virus detection rates with lower false positive rates are described for the first time, and a demonstration of the new Gatekeeper tool is given, showing detection rates that are extremely high with low processor overhead and minimal false positives. Directed attacks against Gatekeeper are considered, and novel defences described.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The material presented is so interesting that it would be worth attending VB just to get my hands on the proceedings. I especially enjoyed the last-minute presentations.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

Jobs

In Virus Bulletin's jobs pages among others:

Virus analyst (Saint-Petersburg, Russian Federation)
Malware Researcher (San Jose, California, United States)

Virus Bulletin currently has 190,982 registered users.

Fighting malware and spam