Anti-malware expert system

Kyu-beom Hwang, Deok-young Jung AhnLab

The EXPERT system is a useful approach for analysing malware or other kinds of software. We designed an anti-malware expert system using our compiled research results.

AMES (AhnLab anti-Malware Expert System) consists of automatic static/dynamic analysis systems, classification technology of malware and non-malware, and environment analysis. This system helps to minimize human error, or false positive detection.

Diverse approaches, like the technology of malware auto-analysis system and classification malware and static/dynamic analysis technology for malware, were tried by AV/AM researchers. Inference malware from function-signature and dectecting behaviour patterns of malware are some of the purposes of AMES. If a sample is a malware, then AVES generates a detecting signature automatically.

Of course, it is difficult to predict all 'malicious' codes automatically, but we get useful results using our malware knowledge database. We think that the core technology is able to judge whether a code is a malware or not, and will be able classify them accordingly. In the traditional virus case, if a virus infected program 'A+V' consists of a safe program 'A' and virus function 'V', and almost all of the functions of 'A+V' are not virus functions, but all functions of 'A+V' are same as 'A', then our AMES will treat it as a virus.

The knowledge database has much information about analysts' studied information, extraction functions and behavioural information on collected virus and non-virus. To make a knowledge database, we have designed three categories. First is a function-based static analysis environment. The second category is a virtual machine based dynamic analysis system, while the last one is a human-based active analysis environment. We designed a generic unpacking method for runtime-packed samples on virtual machines and plug-in runtime debuggers.

The objective of AMES is to help analysts evaluate samples and judge malware as variant or non-malware. AMES uses classification technology and function similarity in collaborative analysis technology. We will make the system more concrete by using various dynamic analysis technology researches on a virtualization environment.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The corporate speakers were very skilled and represented small to large businesses.’

Poll

Are you still running IE 6?

Leave a comment

Virus Bulletin

In this month's magazine:

Social networking meets social engineering
Flying solo
Geneva convention
7th German Anti Spam Summit 2009
Anti-phishing landing page: turning a 404 into a teachable moment
An update on spamming botnets: are we losing the war?
Windows Server 2008 Standard Edition SP2 x86

Subscribe now!

Virus Bulletin currently has 187,822 registered users.

Fighting malware and spam