ArticlePDF Available

MALICIOUS SOFTWARE DETECTION, PROTECTION & RECOVERY METHODS A SURVEY

Authors:

Abstract

The menace of malicious software is currently causing immense damage in the field of information technology. Although the birth of malicious software cannot be exactly pinpointed but it became a substantial nuisance in mid-90's in IT department. These harmful software normally enter into the system unknowingly and the user does not know when and how they entered. It is all because of lack of any perfect solution for detection and removal of such threats; but if the malicious software is in the system there must be a mechanism which possesses ability to stop their attacks and prevent their growth so as to protect the precious data. The absence of these antivirus programs allows the malicious software to infect the computer and if there are no suitable or reliable software installed on the system, the user will be at a grave risk of losing precious data. So therefore, in this survey paper, the important factors for handling and stabilizing the computer have been discussed that will help in adapting suitable and appropriate software or tools for early detection of malicious software and their attacks, resulting in preventing the suspicious activities and assuring system protection.
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
AbstractThe menace of malicious software is currently causing immense damage in the field of information technology.
Although the birth of malicious software cannot be exactly pinpointed but it became a substantial nuisance in mid-90’s in IT
department. These harmful software normally enter into the system unknowingly and the user does not know when and how they
entered. It is all because of lack of any perfect solution for detection and removal of such threats; but if the malicious software is
in the system there must be a mechanism which possesses ability to stop their attacks and prevent their growth so as to protect
the precious data. The absence of these antivirus programs allows the malicious software to infect the computer and if there are
no suitable or reliable software installed on the system, the user will be at a grave risk of losing precious data. So therefore, in
this survey paper, the important factors for handling and stabilizing the computer have been discussed that will help in adapting
suitable and appropriate software or tools for early detection of malicious software and their attacks, resulting in preventing the
suspicious activities and assuring system protection.
KeywordsMalicious software, detection, protection, recovery, threats, antivirus programs, suspicious activity.
1. Introduction
alicious software generally travel with data travelers,
email, or any mode of transferring the data from one
end to another. Some of them possess the ability to hide
themselves and replicate. Such software are very dangerous as
they make their copies i.e. 2n and these copies are activated
whenever system is rebooted. These malicious software are
also called threats and they travel on the network and destroy
the important data. Some of the malicious software spread
themselves independently and some do so through
dependence. Given below are some types of malicious
software described for basic understanding to detect them first
as shown in Fig. 1 and later action performed against these
threats.
Malware
Attack Generate
System Call
Attack
Detection Results
Database
Matching
Fig. 1 Malware Detection Working
2. Categories of Malicious Software
Malicious software are categorized in different types for
understanding and learning so as to make it easy to tackle
them.
2.1 Virus
Virus is a type of malicious software which makes its copies
into another software computer boot sector or document. This
type of malicious software travels on the network and any
other data transmission media and they are activated when
related program runs.
2.2 Trojan
Trojan horse has many types and it has harmful features also
difficult to detect Trojan are normally password stealer and
key logger Trojan do not have the ability to replicate
themselves. Trojan travels via email, downloadable files or
data transmission media and they generate a huge traffic until
the link is crashed.
a. Logic Bomb
Logic bomb is a kind of Trojan. It is a programming code. It is
very dangerous and can explode the important data e.g. letter
bomb.
Malicious Software Detection, Protection & Recovery Methods: A Survey
Muhammad Bilal Mirza, Muhammad Arslan, Syeda Tahseen Fatima Bokhari, Rumsha Zafar
and Mudassar Raza
Department of Computer Science,
COMSATS Institute of Information Technology WahCantt, Pakistan
M
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
b. Time Bomb
Time bomb works like a timer and triggers off when the time
strikes on a particular date.
2.3 Spyware
Spyware too are very dangerous as they collect all the data
from any specific location which could be an organization or
home. They travel on the internet via emails, software or come
with legitimate applications. They are also called tracking
software and once they are installed on the system it is hard to
stop them and recover the lost data.
2.4 Trapdoor
Trapdoor can be likened to a back door. It has the ability to
bypass the authentication system. Whenever a network
administrator designs the network they leave some loopholes
either intentionally or mistakenly, so this may facilitate the
attack of trapdoor.
2.5 Worms
Worms are those malicious software which replicates
themselves and become the cause of slowing down the system
especially by destroying the resources and the time comes
when system is crashed.
2.6 Malware
Malware is a harmful software that can infiltrate through
installation of a program/software. Malware has ability to hide
themselves. They are invoked whenever the related
application is opened. Malware can be the part of another
malicious software e.g. Trojan, Virus or Spyware.
3. Malicious Software Domain And Sub Domains
Malicious software is a large domain and is distributed in
further sub-domains as shown in Fig. 2, different fields are
separated by the nature of their work. For better
understanding, we have categorized the malicious software
into three branches, Detection, Protection & Recovery. In this
paper Detection, Protection and Recovery Methods are
discussed.
Malicious Software
Detection
Analysis
Recovery
Protection
Stopping
Execution
System Call Backup
Data Integrity
Denial of
Services
Fig 2. Domain and Sub-Domains
4. Malicious Software Detection
In this section we will discuss different methods for malicious
code detection and their analysis done in table 1.
4.1 FIST Method
Fault Injection Analysis Approach is used for analyzing the
vulnerability and risks related with the security-critical
applications. It activates whenever the security-critical
application executes on the system, if any suspicious or
abnormal behavior is identified then the respective location is
forwarded for further processing. A program P, is connected
with fault injection security tools FIST [1] in contention with
security policy which has the knowledge base for vulnerable
programs whenever the security policy is violated the fault
injection engine is activated, so that vulnerable program is
halted and forwarded to the further processes, while the
software which was the hazard can now be executed safely.
4.2 Neural Networks Technique
The following technique describes how employing neural
networks [2] is perfect for detection of anomalous or unknown
threats. This method explains how unknown threats can be
detected using neural network by training the method and
applying this technique to any software for checking its
individual behavior. The broad idea of the technique is to
check every single node on the network individually and
utilize the method for examining the detection level.
4.3 Using Http Proxy Server
It detects the malicious programs by pre and post applet
scanner that runs on HTTP Proxy server [3]. Either it is for
internet or for local area network, on both places the detection
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
is static or run time. The Active X control of the browser can
directly access to the resources e.g. LAN printer etc. and it
could be cause of spreading of malicious code over the
network. The scanner works on HTTP proxy server and no
need of client configuration it means it works as standalone
and monitor the suspicious activity while scanning.
4.4 PEAT Method
The following technique is developed for examining or
analysis of Portable Executable (PE) file for detection of
malicious program whether it has affected the windows file or
not while compiling. A toolkit is provided to detect and
analyze the malicious code called PEAT [4] portable
executable analysis toolkit. PEAT is designed to detect viruses
and analyze. It is especially designed for Microsoft windows
platform because mostly virus attacks on windows based file
system as compared to other files.
4.5 Windows Registry Controlling Practice
An algorithm is designed which search for glitches in
Windows Registry (WR) by PHAD [5] (Packet Header
Anomaly Detection). Its important feature is training of the
algorithm which learns from the behavior of WR, checks the
reference values of WR in real-time and detects the
abnormality in WR. When the abnormality is detected, the
system alarms for maintenance. The variation in the curve is
representing the inconsistency of the detection. Here ROC
represents the Receiver Operator Characteristics.
4.6 System Call Pattern
To detect malicious software by examining design of system
calls & upgrade version patching instructions into an emulator
[6-8] while simulation of the software. Computer systems are
insulated from malicious activity and counts the pattern of
system calls and continuously checks the database for
comparison of the system calls, this way any suspicious
behavior is detected from the software or software tells itself
its behavior is suspected and reports to the system user. But in
the upgraded version when software executes its emulator runs
first, if suspicious code or virus in that program or some
program behaves like a malicious code then emulator informs
the system user because users response quickly on alerts. The
generated calls analysis provides the information about call
intensity whether the call is generated for flow of data, related
process or another process and if there is any variation, then
the user is responsible for avoiding the attack.
4.7 Real-Time Worm Detection
This technique implements using network platform FPX
(Field-Programmable Port Extender) over FPGA (Field-
Programmable Gate Arrays) hardware [9] [10] gigabit/second
data processing for worm detection. The technique defines that
more data can be scanned by using parallel hardware systems
instead of software-based techniques. This is a high-speed
accelerated system and is used for scanning the worms and
anomalies over the network. In advance the PID is generated
by Operating System and is stored in processor memory.
These are the only ones allowed to be executed by FPGA.
4.8 Ultimate Trojan Horse Existence And Detection
Through Leakage Current Analysis
The ultimate Trojan horse detection based on chip’s IDD QS
(Steady-state current) [11] [12] through leakage current
examination. Ultimate Trojan access all of the secret
information from the computer system and having write-only
access to a public network. It means the information is shared
among the peoples which can cause damage in cost or any
related issues. The regression is applied on the collected data
from a set of chip in 65nm (neon meter) for detection of
Trojans .This is the limitation of this approach.
4.9 Validation Using Historical Data
Client Health Validation [13] [14] technique is meant to
analyze the health measurement of a client or laptop computer
which connects over the network. One client or a laptop
computer treated as one historical data, which contains the
cookies and the data cached between the server and client. The
analysis of this data allows finding out the health of a system
in case the suspicious data is found then health of a client
system is not good.
4.10 Malware Detection Using Hierarchical Hidden
Markov Model
Digital signature are mostly used for detection of malware
programs, but it is not a good approach to detect the malware
in real time. This paper proposes the Hierarchical Hidden
Markov Model (HHMM) [15], which provides a better way to
detect the malware programs.
4.11 Anti-Sniffing Detection
Sniffing techniques helps to detect error over the network for a
Network Administrator. Attacker catches the packet and steels
the secret information for instance email password, etc. Anti-
sniffing technique for packet [16] enables administrator to
detect the attack over the network by any adversary.
4.12 Data Plane of Networks Method
Network attacks [17] detection technique identifies the
vulnerability in packets which travels on the modern routers.
The threats move from one way to another, and they can be a
serious menace if they execute the arbitrary attack code. These
threats disturb the network and stop the services.
Serial No.
Application
Advantages
Limitations
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
1
Identifying potential
vulnerabilities in
software using FIST
[1]
The advantage is
that it observes the
anomalous program
and related with it.
Not an intellectual way
to implement a source
file with buffer
overflow function and
exploits from
themselves.
2
Unknown
anomalous Against
Programs [2]
How misused
programs can be
detected, even when
an error has
occurred in a
program.
Cannot find the internal
state of anomalous
program.
3
Malicious Code
Scanner [3]
No client side
configuration is
required and no
overhead in
performance.
-
4
Detecting and
Analyzing
Malicious Software
by using PEAT [4]
-
If attacker knows the
PEAT method it can be
bypassed.
5
Detecting malicious
software by
monitoring
Windows Registry
PHAD [5]
Able to identify all
process either
attacked or not
Windows registry
based
6
Analyzing patterns
of system calls
generated during
emulation [6-8]
Enhancing the user
skilled for adopting
the new invention
Complexity increased
7
Hardware-
Accelerated Real-
time Worm
Detection FPGA [9]
System is proficient
in detection and
returning of worms
in real time.
Special Hardware
systems are required
8
Advanced-
Hardware-Assisted
Detection of
Malicious Program
in Embedded
System [10]
Minor support of
hardware to permit
attack detection in
real time.
_
9
Trojan Detection
through Leakage
Current Analysis
[11] [12]
Detection sensitivity
very high
insignificant current
differences are not
likely using
Conventional global
power signal analysis
methods.
10
Malware Detection
Using Hierarchical
Hidden Markov
Model [15]
Large no. of
malware can be
detected efficiently
_
Table 1 Malicious Code Detection Methods Comparison Table
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
5. Malicious Software Protection
In this section we described the protection methods from
malicious software and their comparison in table 2.
5.1 Protection Domains in a Single Address Space
In this paper Conditional, Data scoping, Address space and
Memory Protection [18] [19] are mechanisms to prevent
malicious software. Flexible and Static software protection
mechanism works with the system kernel and based on
assumption of assertion.
5.2 PCASSO Approach
In this technique several approaches e.g. physical protection of
authenticating information, execution control, graphical
displays and co-existing program [20-22] are highlighted. The
PCASSO design works in two ways first one, minimizing its
reliance on the client environment for making sure about the
security and the second is exposure cannot be avoided, more
cost is required to secure personal data. PCASSO implies
advanced security technologies for objective of covering the
existing World-Wide Web therefore it can be used by
healthcare workers and their patients to view person-
identifiable related data. This approach checks both the
equipment of security and the sociology of healthcare in an
age where patients are given online access to their own
medical data.
5.3 Cryptography in Computer Viruses
Attacker uses cryptography [23] [24] in their attacks for
increasing complexity and difficulties to detect their attacks.
Encryption of computer viruses is a kind of polymorphism that
change form as it was spread. In conclusion cryptography can
play an important role to detect those viruses which are
encrypted by known encryption schemes, while in some cases
cryptography can protect from difficulties in some situations
and it can be enhance after using various methods.
5.4 Protection of Software-Based Survivability
Mechanisms
In this paper a systematic introduction of users is given in
combination with a “break-down” of program control-flow;
transforming high-level control transfers to indirect addressing
by using pointers and self-check sum [25] [26]. In results
problem of protecting reliable software from unreliable hosts,
is important for many serious functions in up-to-date
networks. The self-check summing procedures can use self-
modifying code to detect defilements of the von Neumann
suppositions.
5.5 Memory Protection Mechanism
Efficient message passing and memory access protection is
mountable in shared memory multiprocessing computer
systems, blend of integration extra subsystems without
decreasing the main application’s availability and scaling in
flash memories and dynamic RAM (DRAM) [27-29]. In
evaluation of the performance impact using SPEC, a cycle
accretes to simulator with SPEC2006 programs. The following
technique is limited to the PCM setting and can also be
applied on future memory technology like malicious software
protection.
5.6 Digital Signature With Trusted Computed
Platform Technology Against Attacks By Trojan
Horses
This technique is about internet-based commercial and
administrative applications, a progressively common target of
attacks [30-32]. In conclusion the first problem, nearly all
systems trust on the SSL/TLS/WTLS protocols. Though alike
resolutions would be promising, this is certainly the most
popular substitute, as it is accessible in all common Web
browsers. After a cryptographic idea of vision,
SSL/TLS/WTLS has confirmed to be almost secure protocol.
Second problem, fixed passwords are still most generally
used, as they are easy to use. Since a security quantified the
fraction of malware successfully detected [42-45] while the
reviewing time and the time essential to do so. The approach
also verified the software’s replies to malware’s effecting. The
results recommends that, despite performance based detection,
Antivirus software can’t effectively detect all current forms of
malware. Nonetheless, performance based detection increases
the piece of system protection.
5.7 Protecting Data from Malicious Software
A model based Windows implement that reports malicious
software threats to user data by covering the current set of file-
access permissions [33] [34]. In conclusion, this prototype
technique delivers a unique solution to protect from malicious
software within an optional access control environment.
5.8 Virus Wars Fewer Attacks, New Threats
The malware cracks systems, removes data, sends private
documents to unauthorized addressees. It runs programs which
drives PCs into sleepwalkers for use in distributed denial-of-
service attacks [35]. That inclination will remain as malware
progressively develops a mover for back doors and data
stealers.
5.9 Protection in Dynamically Reconfigurable
Hardware
The internet worms and viruses at G-bits/sec rates consuming
the Field-programmable Port Extender. Flexible mechanisms
employed with Field Programmable Gate Array (FPGA) [9,
10] [36] logic on the FPX procedure packet headers and scan
for signatures of malicious software carried in packet data.
The following approach uses programmable logic devices to
examine Internet traffic for malicious code at high speeds.
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
5.10 Preventing Execution of Potentially Malicious
Software
Protection for installing and/or executing malicious software
on client computers [37] [38]. A software distributor
distributes the software to client computers for installation
authority of any software. This tool works on authentication
procedure, for this purpose it uses the authority certificate to
examine the relevant constraints. This approach is strong in
protection of malicious code to spread on network.
5.11 A Generic Attack on Check Summing-Based
Software Tamper Resistance
Attractive features of this paper is to verify the integrity of
software sovereign of the external support environment, and
capability to spontaneously integrate check summing code
while program compilation or networking. In this paper recent
processors, including UltraSparc [39-41] and x86-compatible
processors, simplifies automatic attacks which defeat such
check summing by self-checking programs.
5.12 Commercial Antivirus Software Effectiveness
An experiential learning shown to relate the efficiency of
recent Antivirus programs offerings against malware
quantified the fraction of malware successfully detected [42-
45] while the reviewing time and the time essential to do so.
The approach also verified the software’s replies to malware’s
effecting. The results recommends that, despite performance
based detection, Antivirus software can’t effectively detect all
current forms of malware. Nonetheless, performance based
detection increases the piece of system protection.
5.13 Hardware-Assisted Run-Time Monitoring For
Secure Program Execution
In this paper, an approach that reports this problem from a
different viewpoint. It expresses correct execution as identical
[46-48] with the method the program was intended to run and
services a dedicated hardware observe to detect and prevent
unintentional program behavior. Precisely, the properties of an
embedded program over static program study and use them as
the bases for applying permitted program behavior at run time.
In conclusion the following approach emphasize that only cost
issue is considerable to implement this method affects in large
scale.
5.14 Unified Model Computer Threat Protection
It is necessary to prevent the precious data from malicious
code time to time when new threats attacks on the system the
following UMCTP [49] method provide latest updates concept
and update the database of antivirus which helps to fight
against viruses which are newly created by the attacker.
5.15 Password Attacks And Comparative Analysis
To avoid password security compromised, the following
approach [50] emphasizes on using different password
schemes together. As a result, it is difficult to break password.
However the brute force attack will increase exponentially.
5.16 Protection Against Phishing Attacks
Phishing attacks steel credentials like email, passwords, credit
cards information, etc. APPLE [51] technique protect the users
from fake websites and secure their personal important data
when user is exploring some webpages over the internet.
Serial No.
Application
Advantages
Limitations
Results
1
Protection domains
in a single address
space [19]
Protection before
the execution of
malicious code
Memory space
required
Result explains the right
method to prevent the
malicious.
2
Patient-Centered
Access to Secure
Systems Online
PCASSO [20-22]
World-wide web
access with efficient
protection for
individual patients
_
Protection enabled across the
WWW access from
anywhere for each user level.
3
Cryptography
Prevent Computer
Viruses [23]
Cryptography in
viruses, in anti-virus
application, and in
overall security
systems, for apply
to viruses and
associated
intimidations.
Only works against
the known
encryption schemes
Protection is strong and
better than others, against
encrypted viruses attacked by
the hacker.
4
Strengthening
software self-check
summing via self-
modifying code [25]
Checksum provides
the quick decision
making power in
threat protection
_
Hard to lose the
strengthening of the software
after employing the
(SSCSMC)
5
Protecting the
creation of digital
signatures with
trusted computing
A trusted computing
base, for
identifying
mechanisms of the
Works for only
Trojan horse
program (THP)
Trojan horse programs
Violent a file’s integrity that
can be prevented with only a
few measures.
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
platform technology
against attacks by
Trojan horse
programs [30]
signatory’s
computer that can
check the reliability
6
Protecting data from
malicious software
[33-34]
Exclusive solution
to the recognized
problem of
monitoring
malicious software
within a flexible
access control
situation
Limitation with file
process and a
possibly
malicious file
operation are
required
Works fine with file process.
7
Internet worm and
virus protection in
dynamically
reconfigurable
hardware [35]
Block of malicious,
protecting copyright
and documentation
and management of
digital transaction.
_
Better results on high-speed
network.
Table 2 Malicious Software Protection Approaches Comparison
6. Malicious Software Recovery Techniques
In this section we defined the recovery approaches for data
which is corrupted by malicious attack.
6.1 Recovery Assertions from a Fault Injection-Based
According to the following approach a fault injection-based
technique for damaging the capability of software components
to produce unwanted outputs [52] [53] into the state of the
system. Adverse results are any class of outputs that a
component must not issue into the state of the system given its
current situation. The components of the Software are called
“failure-tolerant” if they issue desired results irrespective of
the programmer liabilities, it is possible malicious code in data
and data fixed beside to the component. In conclusion there
are weaknesses in the approach, essentially the assurance on
access to definitions is required of unwanted system behavior.
6.2 Recovering from Malicious Transactions
The approach is about serious stage to attack strong database
[54] [55]. Malicious protection systems monitor system or
network activity to determine exertions for interruption or
check illegal changes in the systems. The approach of
malicious protection can be unevenly categorized as being
either based on arithmetical profiles or on known patterns of
attacks. In decision it is recognized as the most difficult of
attack recoveries and is developed as private and reliable
repair algorithms, each algorithm has two types; one is static
algorithm and the other is dynamic algorithm and both work
fine.
6.3 Recovering from a Trojan horse Or Virus
An agenda for automatically eradicating malware from
systems and recovering any harm thereof. The key goal of this
technique is to reserve system reliability [56-58]. The
approach achieves these goals by observing untrusted
programs, cataloguing their processes, using the logs to
eliminate malware and to repair infected data.
6.4 Boot Record Recovery
This method for computer system, performs a boot record
recovery, while retrieval of a recovery flag is set in BIOS
which indicates that the MBR has been copied securely [59-
61]. In conclusion this approach is considered as worthy and
trusted; the master boot record is saved on hard disk and can
be restored when current is affected by malicious code.
6.5 Exec Recorder Method
Variations in complete system recurrence for a single
processors is supervised by cataloguing and repeating
architectural events. To limit the amount of recorded evidence,
it is to identify that architectural non-deterministic events and
encrypt them efficiently. The Exec Recorder [62-64] is used
for a full-system, VM-based record and repeat agenda for
post-attack inspection and recovery. It significantly reduces
the amount of recorded data by recording the pulse or time
change for an occurrence and complete timing value of
location. Moreover, while an input event can be categorized
by its control and bytes only, a replay typically will need
factual information about the input for learning itself to
suitably replicate the event.
7. Conclusion
In this paper, the malicious code activities are delineated and
their effects on computer systems have been analyzed. The
damage of data and steeling of confidential information have
been classified as severe issues. The first half of this paper
describes the detection of malicious software. There are some
methods used for detection of the malicious code and it is
realized that malicious code scanner and program product for
detecting malicious software methods are better from the ones
explained in the comparison. The second section is protection
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
of malicious codes when they are detected. Therefore different
methods are used to protect the vulnerability occurrence. The
cryptography applications protect computer from viruses,
worm and Trojans. Protection applications provide key for
dynamically reconfigurable hardware and software from
malicious code are compared, which helps to choose a best
suitable solution for relative problem. The third phase of the
paper explains what should be done in case the detection and
protection fails. For this purpose the data recovery methods
are examined and it encourages to choose a solution for the
related problem. It helps in decision making for choosing the
best approach according to the needs whether it is related with
the malicious software detection, protection or data recovery
from influence of malicious code.
REFERENCES
[1]. Ghosh, Anup K., Tom O'Connor, and Gary McGraw. "An
automated approach for identifying potential vulnerabilities in
software." In Security and Privacy, 1998. Proceedings. 1998
IEEE Symposium on, pp. 104-114. IEEE, 1998.
[2]. Ghosh, Anup K., James Wanken, and Frank Charron.
"Detecting anomalous and unknown intrusions against
programs." In Computer Security Applications Conference,
1998. Proceedings. 14th Annual, pp. 259-267. IEEE, 1998.
[3]. Ji, Shuang. "Computer network malicious code scanner."
U.S. Patent 5,983,348, issued November 9, 1999.
[4]. Weber, Michael, Matthew Schmid, Michael Schatz, and
David Geyer. "A toolkit for detecting and analyzing malicious
software." In Computer Security Applications Conference,
2002. Proceedings. 18th Annual, pp. 423-431. IEEE, 2002.
[5]. Apap, Frank, Andrew Honig, Shlomo Hershkop, Eleazar
Eskin, and Sal Stolfo. "Detecting malicious software by
monitoring anomalous windows registry accesses." In Recent
Advances in Intrusion Detection, pp. 36-53. Springer Berlin
Heidelberg, 2002.
[6]. Muttik, Igor. "Detecting malicious software by analyzing
patterns of system calls generated during emulation." U.S.
Patent 6,775,780, issued August 10, 2004.
[7]. Muttik, Igor, and Duncan V. Long. "Detecting computer
viruses or malicious software by patching instructions into an
emulator." U.S. Patent 6,907,396, issued June 14, 2005.
[8]. Chess, David M., and James S. Luke. "System, method
and program product for detecting malicious software." U.S.
Patent Application 10/696,200, filed October 28, 2003.
[9]. Madhusudan, Bharath, and John W. Lockwood. "A
hardware-accelerated system for real-time worm detection."
Micro, IEEE 25, no. 1 (2005) 60-69.
[10]. Rahmatian, Mehryar, Hessam Kooti, Ian G. Harris, and
Elaheh Bozorgzadeh. "Hardware-Assisted Detection of
Malicious Software in Embedded Systems." Embedded
Systems Letters, IEEE 4, no. 4 (2012): 94-97.
[11]. Franz, Michael. "Containing the ultimate trojan horse."
Security & Privacy, IEEE 5, no. 4 (2007) 52-56.
[12]. Aarestad, Jim, Dhruva Acharyya, Reza Rad, and Jim
Plusquellic. "Detecting Trojans Through Leakage Current
Analysis Using Multiple Supply Pad s." Information Forensics
and Security, IEEE Transactions on 5, no. 4 (2010): 893-904.
[13]. Kaditz, Jeffrey, Bashar J. Kachachi, and Joel M.
Soderberg. "Client Health Validation Using Historical Data."
U.S. Patent Application 11/738,898, filed April 23, 2007.
[14]. Kaditz, Jeffrey, Bashar J. Kachachi, and Joel M.
Soderberg. "Client health validation using historical data."
U.S. Patent 7,720,965, issued May 18, 2010.
[15]. Muhaya, Fahad Bin, Muhammad Khurram Khan, and
Yang Xiang. "Polymorphic Malware Detection Using
Hierarchical Hidden Markov Model." In Dependable,
Autonomic and Secure Computing (DASC), 2011 IEEE Ninth
International Conference on, pp. 151-155. IEEE, 2011.
[16]. Faisal Saleem, Mudassar Raza, Muhammad Sharif,
Aman Ullah Khan “ANTI SNIFFING TECHNIQUE FOR
PACKET National Conference on Information Technology
Present Practices and Challenges, Asia-Pacific Institute of
Management, New Delhi, India, August 31 - September 1,
2007.
[17]. Chasaki, Danai, and Tilman Wolf. "Attacks and defenses
in the data plane of networks." Dependable and Secure
Computing, IEEE Transactions on 9, no. 6 (2012): 798-810.
[18]. Bershad, Brian N., Stefan Savage, Przemyslaw Pardyak,
David Becker, Marc Fiuczynski, and Emin Gun Sirer.
"Protection is a software issue." In Hot Topics in Operating
Systems, 1995.(HotOS-V), Proceedings., Fifth Workshop on,
pp. 62-65. IEEE, 1995.
[19]. Wendorf, James W., Kamlesh Rath, and Dinesh Verma.
"Protection domains in a single address space." U.S. Patent
5,845,129, issued December 1, 1998
[20]. Masys, Daniel R., and Dixie B. Baker. "Patient-Centered
Access to Secure Systems Online (PCASSO) a secure
approach to clinical data access via the World Wide Web." In
Proceedings of the AMIA Annual Fall Symposium, p. 340.
American Medical Informatics Association, 1997.
[21]. Masys, Daniel R., and Dixie B. Baker. "Protecting
clinical data on Web client computers the PCASSO
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
approach." In Proceedings of the AMIA Symposium, p. 366.
American Medical Informatics Association, 1998.
[22]. Masys, Daniel, Dixie Baker, Amy Butros, and Kevin E.
Cowles. "Giving Patients Access to Their Medical Records via
the Internet The PCASSO Experience." Journal of the
American Medical Informatics Association 9, no. 2 (2002)
181-191.
[23]. Morar, John F., and David M. Chess. "Can Cryptography
Prevent Computer Viruses?" VIRUS 127 (2000).
[24]. Singh, Prabhat K., and Arun Lakhotia. "Analysis and
detection of computer viruses and worms An annotated
bibliography." SIGPLAN Notices 37, no. 2 (2002) 29-35.
[25]. Wang, Chenxi, Jack Davidson, Jonathan Hill, and John
Knight. "Protection of software-based survivability
mechanisms." In Dependable Systems and Networks, 2001.
DSN 2001. International Conference on, pp. 193-202. IEEE,
2001.
[26]. Giffin, Jonathon T., Mihai Christodorescu, and Louis
Kruger. "Strengthening software self-checksumming via self-
modifying code." In Computer Security Applications
Conference, 21st Annual, pp. 10-pp. IEEE, 2005.
[27]. Weber, Wolf-Dietrich, and Jaspal Kohli. "Memory
protection mechanism for a distributed shared memory
multiprocessor with integrated message passing support." U.S.
Patent 6,212,610, issued April 3, 2001.
[28]. Khan, Akram, Achim Schäfer, and Markus Zetlmeisl.
"Efficient memory-protected integration of add-on software
subsystems in small embedded automotive applications."
Industrial Informatics, IEEE Transactions on 3, no. 1 (2007)
44-50.
[29]. Seong, Nak Hee, Dong Hyuk Woo, and Hsien-Hsin Lee.
"Security refresh protecting phase-change memory against
malicious wear out." Micro, IEEE 31, no. 1 (2011) 119-127.
[30]. Spalka, Adrian, Armin B. Cremers, and Hanno Langweg.
"Protecting the creation of digital signatures with trusted
computing platform technology against attacks by trojan horse
programs." In Proceedings of the IFIP SEC, pp. 403-420.
2001.
[31]. Claessens, Joris, Valentin Dem, Danny De Cock, Bart
Preneel, and Joos Vandewalle. "On the security of today’s
online electronic banking systems." Computers & Security 21,
no. 3 (2002) 253-265.
[32]. Nguyen, Liem, and Jean Pieters. "The Trojan horse
survival tactics of pathogenic mycobacteria in macrophages."
Trends in cell biology 15, no. 5 (2005) 269-276.
[33]. Schmid, Matthew, Frank Hill, and Anup K. Ghosh.
"Protecting data from malicious software." In Computer
Security Applications Conference, 2002. Proceedings. 18th
Annual, pp. 199-208. IEEE, 2002.
[34]. Langweg, Hanno, and Einar Snekkenes. "A classification
of malicious software attacks." In Performance, Computing,
and Communications, 2004 IEEE International Conference
on, pp. 827-832. IEEE, 2004.
[35]. Lawton, George. "Virus wars fewer attacks, new
threats." Computer 35, no. 12 (2002) 22-24.36.
[36]. Lockwood, John W., James Moscola, Matthew Kulig,
David Reddick, and Tim Brooks. "Internet worm and virus
protection in dynamically reconfigurable hardware." In
Proceedings of the Military and Aerospace Programmable
Logic Device Conference. 2003.
[37]. McCorkendale, Bruce, and Carey S. Nachenberg.
"Preventing execution of potentially malicious software." U.S.
Patent Application 10/359,422, filed February 5, 2003.
[38]. Suh, G. Edward, Jae W. Lee, David Zhang, and Srinivas
Devadas. "Secure program execution via dynamic information
flow tracking." In ACM SIGPLAN Notices, vol. 39, no. 11, pp.
85-96. ACM, 2004.
[39]. Wurster, Glenn, Paul C. van Oorschot, and Anil
Somayaji. "A generic attack on checksumming-based software
tamper resistance." In Security and Privacy, 2005 IEEE
Symposium on, pp. 127-138. IEEE, 2005.
[40]. Shaneck, Mark, Karthikeyan Mahadevan, Vishal Kher,
and Yongdae Kim. "Remote software-based attestation for
wireless sensors." In Security and Privacy in Ad-hoc and
Sensor Networks, pp. 27-41. Springer Berlin Heidelberg,
2005.
[41]. Van Oorschot, Paul C., Anil Somayaji, and Glenn
Wurster. "Hardware-assisted circumvention of self-hashing
software tamper resistance." Dependable and Secure
Computing, IEEE Transactions on 2, no. 2 (2005) 82-92.
[42]. McGraw, Gary. "Software security." Security & Privacy,
IEEE 2, no. 2 (2004) 80-83.
[43]. Gao, Debin, Michael K. Reiter, and Dawn Song. "Gray-
box extraction of execution graphs for anomaly detection." In
Proceedings of the 11th ACM conference on Computer and
communications security, pp. 318-329. ACM, 2004.
[44]. Christodorescu, Mihai, and Somesh Jha. Static analysis
of executables to detect malicious patterns. WISCONSIN
UNIV-MADISON DEPT OF COMPUTER SCIENCES, 2006.
BRIS Journal of Adv. S & T (ISSN. 0971-9563) www.brisjast.com Vol.2 (5):PP.14-23
(DOI: dx.doi.org/14.9831/0971-9563.2014/2-5/BRIS.3)
[45]. Filiol, Eric. "Malware pattern scanning schemes secure
against black-box analysis." Journal in Computer Virology 2,
no. 1 (2006) 35-50.
[46]. Arora, Divya, Srivaths Ravi, Anand Raghunathan, and
Niraj K. Jha. "Secure embedded processing through hardware-
assisted run-time monitoring." In Proceedings of the
conference on Design, Automation and Test in Europe-
Volume 1, pp. 178-183. IEEE Computer Society, 2005.
[47]. Arora, Divya, Srivaths Ravi, Anand Raghunathan, and
Niraj K. Jha. "Hardware-assisted run-time monitoring for
secure program execution on embedded processors." Very
Large Scale Integration (VLSI) Systems, IEEE Transactions
on 14, no. 12 (2006) 1295-1308.
[48]. Mao, Shufu, and Tilman Wolf. "Hardware support for
secure processing in embedded systems." Computers, IEEE
Transactions on 59, no. 6 (2010) 847-854.
[49]. Murtaza, Muhammad, Muhammad Sharif, Mudassar
Raza, and Aman Ullah Khan. "A Unified Model for Computer
Threat Protection (UMCTP)”, Proceedings of the World
Congress on Engineering and Computer Science -WCECS
2008, October 22 - 24, 2008, San Francisco, USA
[50]. Raza, Mudassar, Muhammad Iqbal, Muhammad Sharif,
and Waqas Haider. "A Survey of Password Attacks and
Comparative Analysis on Methods for Secure Authentication."
World Applied Sciences Journal 19, no. 4 (2012) 439-444.
[51]. Fahad Ikram, Muhammad Sharif, Mudassar Raza,”
Protecting Users against Phishing Attacks” in 7th CIIT
Workshop on Research in Computing June 23, 2008 CIIT,
Lahore Pakistan.
[52]. Voas, Jeffrey. "Building software recovery assertions
from a fault injection-based propagation analysis." In
Computer Software and Applications Conference, 1997.
COMPSAC'97. Proceedings., The Twenty-First Annual
International, pp. 505-510. IEEE, 1997.
[53]. Templeton, Randall F. "Method of managing computer
virus infected files." U.S. Patent 6,401,210, issued June 4,
2002.
[54]. Liu, Peng, Paul Ammann, and Sushil Jajodia. "Rewriting
histories Recovering from malicious transactions." Distributed
and Parallel databases 8, no. 1 (2000) 7-40.
[55]. Park, Joon S., Gautam Jayaprakash, and Joseph
Giordano. "Component integrity check and recovery against
malicious codes." In Advanced Information Networking and
Applications, 2006. AINA 2006. 20th International Conference
on, vol. 2, pp. 5-pp. IEEE, 2006.
[56]. Jablon, David P., and Nora E. Hanley. "Method and
apparatus for assessing integrity of computer system
software." U.S. Patent 5,421,006, issued May 30, 1995.
[57]. Okamoto, Takeshi, and Yoshiteru Ishida. "A distributed
approach against computer viruses inspired by the immune
system." IEICE transactions on communications 83, no. 5
(2000) 908-915.
[58]. Hsu, Francis, Hao Chen, Thomas Ristenpart, Jason Li,
and Zhendong Su. "Back to the future A framework for
automatic malware removal and system repair." In Computer
Security Applications Conference, 2006. ACSAC'06. 22nd
Annual, pp. 257-268. IEEE, 2006.
[59]. Dennis, Lowell B. "Boot record recovery." U.S. Patent
6,792,556, issued September 14, 2004.
[60]. Lai, Yu-Chen. "Recovery method for master boot record
of hard disk drive." U.S. Patent Application 10/920,074, filed
August 17, 2004.
[61]. Cheston, Richard Wayne, Richard Alan Dayan, and
Randall Scott Springfield. "Method and system for master
boot record recovery." U.S. Patent 6,862,681, issued March
1, 2005.
[62]. de Oliveira, Daniela AS, Jedidiah R. Crandall, Gary
Wassermann, S. Felix Wu, Zhendong Su, and Frederic T.
Chong. "ExecRecorder VM-based full-system replay for
attack analysis and system recovery." In Proceedings of the
1st workshop on Architectural and system support for
improving software dependability, pp. 66-71. ACM, 2006.
[63]. Chunlei, Wang, Wen Yan, and Dai Yiqi. "A software
vulnerability analysis environment based on virtualization
technology." In Wireless Communications, Networking and
Information Security (WCNIS), 2010 IEEE International
Conference on, pp. 620-624. IEEE, 2010.
[64]. Wang, Peng, Xiang Zhang, Peilin Hao, and Yu Zhang.
"Towards the multithreaded deterministic replay in program
debugging." In Information Science and Digital Content
Technology (ICIDT), 2012 8th International Conference on,
vol. 1, pp. 139-144. IEEE, 2012.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
One of the critical security threats to computer systems is the execution of malware or malicious software. Several intrusion detection systems have been proposed which perform detection analysis in the software using the audit files generated by the operating system. Software-based solutions to this problem are relatively slow, so these techniques can be used forensically, but not in real-time to stop an exploit before it has an opportunity to do damage. We present a technique to implement intrusion detection for secure embedded systems by detecting behavioral differences between the correct system and the malware. The system is implemented using FPGA logic to enable the detection process to be regularly updated to adapt to new malware and changing system behavior.
Article
Full-text available
Passwords play an important role in daily life in various computing applications like ATM machines, internet services, windows login, authentication in mobiles etc. The major aim for using passwords is to restrict unauthorized users to access the system. Passwords are necessary but, still they are not considered much safe to provide the security to the users because of many flaws in the conventional password systems. A large number of attacks on many systems are related to the passwords. This paper describes password attacks and comparative analysis of different authentication methods for awareness of attacks and selection of authentication method in a particular scenario.
Article
More than forty thousands computer viruses have appeared so far since the first virus. Six computer viruses on average appear every day. Enormous expansion of the computer network opened a thread of explosive spread of computer viruses. In this paper, \ve propose a distributed approacli against computer virus using the computer network that allows distributed and agent-based approach. Our system is composed of an immunity-based system similar to the biological immune system and recovery system similar to the recovery mechanism by cell division. The immunity-based system recognizes "non-self" (which includes computer viruses) using the "self" information. The immunity-based system uses agents similar to an antibody, a natural killer cell and a helper T-cell. The recover system uses a copy agent which sends an uninfected copy to infected computer on LAN, or receives from uninfected computer on LAN. We implemented a prototype with JAVArA' known as a multi-platform language. In experiments, we confirmed that the proposed system works against some of existing computer viruses that can infect programs for MS-DOSTA'.
Article
Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate-to our knowledge the first-practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.
Article
The relationship between cryptography and virus prevention is anything but simple. Since the beginning of the computer virus problem, people have proposed solutions involving some form of cryptography; but cryptography plays only a minor role in the solutions we actually use today. Encryption can also make virus prevention more difficult, by providing viral hiding places inside the objects that it protects. This paper will provide an overview of the ways that encryption technology impinges on virus protection and related security efforts, and provide some understanding of how encryption can help, or hurt, the efforts of the 'good guys'.
Conference Paper
We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms
Article
As dynamic RAM scaling approaches its physical limit, phase-change memory is the most mature and well-studied option for potential DRAM replacement. However, malicious wear-out attacks can exploit PCM's limited write endurance. To address this, a low-cost wear-leveling scheme can dynamically randomize the data addresses across the entire address space and obfuscate their actual locations from users and system software.
Article
Current technology is evolving fast and is constantly bringing new dimensions to our daily life. Electronic banking systems provide us with easy access to banking services. The interaction between user and bank has been substantially improved by deploying ATMs, phone banking, Internet banking, and more recently, mobile banking. This paper discusses the security of today’s electronic banking systems. We focus on Internet and mobile banking and present an overview and evaluation of the techniques that are used in the current systems. The best practice is indicated, together with improvements for the future. The issues discussed in this paper are generally applicable in other electronic services such as E-commerce and E-government.