Computer Viruses, in Order to Detect Them
Total Page:16
File Type:pdf, Size:1020Kb
Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system. As the number of viruses continues to grow, ever more space will be needed in the future. There is thus an urgent need for a novel and robust detection technique. One of the most encouraging recent developments in virus research is the use of formulae, which provides alternatives to classic virus detection methods. The proposed research uses temporal logic and behaviour-based detection to detect viruses. Interval Temporal Logic (ITL) will be used to generate virus specifications, properties and formulae based on the analysis of the behaviour of computer viruses, in order to detect them. Tempura, which is the executable subset of ITL, will be used to check whether a good or bad behaviour occurs with the help of ITL description and system traces. The process will also use AnaTempura, an integrated workbench tool for ITL that supports II | P a g e our system specifications. AnaTempura will offer validation and verification of the ITL specifications and provide runtime testing of these specifications. III | P a g e DECLARATION I declare that the work described in this thesis is original work undertaken by me for the degree of Doctor of Philosophy, at the Software Technology Research Laboratory (STRL), at De Montfort University, United Kingdom. No part of the material described in this thesis has been submitted for any award of any other degree or qualification in this or any other university or college of advanced education. I also declare that part of this thesis has been published in some of my following publications. Sulaiman Amro Al amro IV | P a g e PUBLICATIONS 1. S. Al Amro., Aldrawiesh, K. and Al-Ajlan, A. A Comparative study of Computational Intelligence in Computer Security and Forensics. The 2011 IJCAI Workshop on Intelligent Security (SecArt), 2-9. Barcelona, Spain: AAAI Press., 2011. 2. S. Al Amro, Cau, A. Behaviour-based Virus Detection System using Interval Temporal Logic. The 6th International Conference on Risks and Security of Internet and Systems (CRISIS 2011), 2-9. Timisoara, Romania: IEEE Computer Society., 2011. 3. S. Al Amro, F. Chiclana, D. A. Elizondo. Application of Fuzzy Logic in Computer Security and Forensics. In: Computational Intelligence for Privacy and Security. David Elizondo, Agusti Solanas, Antoni Martinez-Balleste (editors), Springer Series: Studies in Computational Intelligence., 2012. 4. S. Al Amro, F, A. Elizondo, A. Solanas, and A. Martínez-Balleste: Evolutionary Computation in Computer Security and Forensics: an Overview. In: Computational Intelligence for Privacy and Security. David Elizondo, Agusti Solanas, Antoni Martinez-Balleste (editors), Springer Series: Studies in Computational Intelligence., 2012. 5. S. Al Amro and Cau, A. Behavioural API based Virus Analysis and Detection. International Journal of Computer Science and Information Security, 10(5):14–22, May 2012. V | P a g e ACKNOWLEDGMENTS First of all, all thanks and praise would first go to God (Allah) for all the success. My sincere thanks would go to my supervisor Dr. Antonio Cau for all his support, time and guidance. This thesis would not have been completed without the in-depth discussions and comments from Dr. Antonio. I also would like to thank my second supervisor Dr. Giampaolo Bella and Prof. Hussein Zedan, the head of the STRL, for their insightful comments and advice. My many thanks would go to the Cyber Security Centre (CSC) at De Montfort University for letting me use their Forensics and Security Laboratory to do my analysis, experiments and testing. My special thanks go to Mr. Gareth Lapworth, who is the expert on computer viruses, for his hours and hours of discussions and his help in understanding computer virus analysis tools. My special thanks go to the developers of Deviare API tool for letting me use their source code to develop my research, especially Mr. Mauro Leggieri for the patience with which he checked and corrected many technical errors. I also would like to thank the other STRL staff who have given me some of their precious time to comment on my work. A special thanks to my assessor Dr. Francois Siewe for his guidance and comments. I also would like to thank all my colleagues at the STRL for the valuable advice and discussions and a special thanks to my office mate Mr. Fahad Alqahtani. VI | P a g e My sincere thanks would go to all my family (my parents, my wife, my sisters and brothers) for their support and prayers. Leicester, England, 2013 Sulaiman Al amro VII | P a g e Content Table of Contents DEDICATION ..................................................................................................................... I ABSTRACT ....................................................................................................................... II DECLARATION ................................................................................................................ IV PUBLICATIONS................................................................................................................. V ACKNOWLEDGMENT ...................................................................................................... VI TABLE OF CONTENT ...................................................................................................... VIII LIST OF FIGURES ........................................................................................................... XIII LISTINGS........................................................................................................................ XV LIST OF TABLES ............................................................................................................ XVII LIST OF ACRONYMS .................................................................................................... XVIII Chapter 1 Introduction .................................................................................................................... 1 1.1 Preface .......................................................................................................................... 2 1.2 Motivation ..................................................................................................................... 4 1.3 Research Problems........................................................................................................ 6 1.4 Research Hypotheses .................................................................................................... 6 1.4.1 Hypothesis Testing ................................................................................................ 8 1.5 Success Criteria ............................................................................................................. 9 1.6 Scope of Research ....................................................................................................... 10 1.7 Research Methodology ............................................................................................... 11 1.8 Ethical Principles ......................................................................................................... 13 VIII | P a g e Content 1.9 Thesis Outline .............................................................................................................. 14 Chapter 2 Literature Review ......................................................................................................... 17 2.1 Introduction ................................................................................................................ 18 2.2 Background ................................................................................................................. 18 2.3 Taxonomy of Malicious Software ............................................................................... 19 2.4 Computer Viruses.......................................................................................................