Gatekeeper II: new approaches to generic virus prevention

Richard Ford Florida Institute of Technology
Matt Wagner Microsoft Corporation
Jason Michalske Florida Institute of Technology

The need for reliable detection of rapidly spreading worms has never been higher; viruses like SQL/Slammer have proven that an epidemic can occur far faster than we can react using existing technology. Thus, there has been significant interest in developing fast and reliable techniques for detecting previously unseen malicious code.

In this paper, we extend the work carried out under the Gatekeeper project, a behavioural virus detection engine with undo capability. New techniques to provide for higher virus detection rates with lower false positive rates are described for the first time, and a demonstration of the new Gatekeeper tool is given, showing detection rates that are extremely high with low processor overhead and minimal false positives. Directed attacks against Gatekeeper are considered, and novel defences described.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 10 comments

99 Subscription Promo

Virus Bulletin
In this month's magazine:
  • Living the meme
  • If Svar is the answer...
  • Static analysis of mobile malware
  • And the devil is six: the security consequences of the switch to IPv6
  • Behind enemy lines: reporting from the CCC 28C3 Congress
Virus Bulletin 02 2012
Subscribe now!

Virus Bulletin currently has 224,204 registered users.