Abstract
A non-signature-based virus detection approach using Self-Organizing Maps (SOMs) is presented in this paper. Unlike classical virus detection techniques using virus signatures, this SOM-based approach can detect virus-infected files without any prior knowledge of virus signatures. Exploiting the fact that virus code is inserted into a complete file which was built using a certain compiler, an untrained SOM can be trained in one go with a single virus-infected file and will then present an area of high density data, identifying the virus code through SOM projection. The virus detection approach presented in this paper has been tested on 790 different virus-infected files, including polymorphic and encrypted viruses. It detects viruses without any prior knowledge – e.g. without knowledge of virus signatures or similar features – and is therefore assumed to be highly applicable to the detection of new, unknown viruses. This non-signature-based virus detection approach was capable of detecting 84% of the virus-infected files in the sample set which included, as already mentioned, polymorphic and encrypted viruses. The false positive rate was 30%. The combination of the classical virus detection technique for known viruses and this SOM-based technique for unknown viruses can help systems be even more secure.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Chantico: Combating computer crime: prevention, detection, investigation. McGraw-Hill, Inc, New York
Sophos: Top ten viruses and hoaxes reported to sophos in september 2005 (2005)
Yoo, I.: Visualizing windows executable viruses using self-organizing maps. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC-04) (2004)
Kohonen T. (1995) Self-organizing maps. Springer, Berlin Heidelberg New York
Haykin S. Neural networks: a comprehensive foundation, International Edition/2nd edn. Prentice Hall Englewood cliffs (1999)
Kohonen T. (1982) Self-organized formation of topologically correct feature maps. Biol. Cybern. 43: 59–69
Kohonen T. (1988) Self-organization and associative memory, 3rd edn. Springer, Berlin Heidelberg New York
Hinton G., Sejnowski T.J. (1999) Unsupervised learning: foundations of neural computation. The MIT Press, Cambridge
Yoo, I., Ultes-Nitsche, U.: How to predict email viruses under uncertainty. In: Proceedings of the 23rd IEEE International Performance, Computing and Communications Conference, IPCCC 2004, Workshop of Information Assurance (WIA 04) (2004)
CERT: Cert/cc incident note in-99-03 cih/chernobyl virus. (1999)
Pfleeger C.P. (1997) Security in computing, International Edition, 2nd edn. Prentice-Hall International Inc., Englewood cliffs
Kaspersky, E.: Virus analysis texts – macro viruses. (2000)
Esa Alhoniemi, Johan Himberg, J.P., Vesanto, J.: Som toolbox 2.0, a software library for matlab. SOM Toolbox team, Laboratory of Computer and Information Science, Finland (2002)
MATHWORKS: The mathworks, inc. MATLAB (2003)
KASPERSKY: Windows viruses (1994–2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yoo, I.S., Ultes-Nitsche, U. Non-signature based virus detection. J Comput Virol 2, 163–186 (2006). https://doi.org/10.1007/s11416-006-0013-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0013-1