Detecting Malicious Codes: A Signature-Based Solution Razvan Bogdan 1+ " Politehnica” University of Timisoara Bd. V. Parvan, nr. 2, 300223, Timisoara, Romania Abstract. Malicious codes are one of the most destructive pieces of software that can attack a computer or network. They are self-duplicating and self-propagating, so their behavior is repetitive and automated. Different methods of detecting such attackers have been proposed. The paper is presenting a method to detect this software based on the digital signature of the malware. Our aim is to obtain a dedicated detection scheme for different state-of-the-art digital signatures. Such detection scheme should be optimal from performance point of view. Keywords: attacks, malware, detection scheme, intrusions detection, performance 1. Introduction Malicious codes (malware) – viruses, worms, Trojan horses, rootkits and so on - are one of the most destructive pieces of software that can attack a computer or network. Malicious software such as Beagle, Code Red, Nimda, NetSky, Witty have infected millions of computers [1]. The damages they have caused are estimated at billions of dollars. Such software is self-duplicating and self-propagating, but also repetitive and automated. Therefore, by proper means, it can be detected and blocked. Malware detection techniques are organized in two categories, namely anomaly-based and misuse-based [1]. Anomaly-based techniques are capable of detecting novel threats, but are error prone and require a significant amount of resources, such as computer power. The second category aims at generating a specific, known signature, but different studies [1], [5] have demonstrated that this category offers a higher performance in terms of resources and time. A very important problem in the state-of-the art literature regarding signature-based malware detection [2], [3] is related to the increasing number of signatures that are generated in order to combat potential malwares. Only in 2008, Symantec created over 1.6 million new signatures. Dealing with such a huge amount of data is very demanding in terms of necessary resources, networks’ scaling and cache utilization [2]. Other research papers [4], [5] address the problem of signature-based detection in terms of signature accuracy, but also the involved complexity necessary in order to obtain a certain signature. In the same trend, the speed of signature scanning is of peculiar importance because of the amount of time and required resources necessary to scan a message. This paper aims at constructing a detection scheme for different signatures, from different types of attacks. These attacks can be targeted towards a certain type of files. Our aim is to offer a proper modality in terms of complexity and time that can detect a group of malicious software. Such a Group Detection Scheme (GDS) can be incorporated in an existent overall Intrusion Detection System (IDS) or an entire IDS can be constructed based on the method proposed in this paper. + razvan.bogdan@cs.upt.ro 2011 International Conference on Computer and Software Modeling IPCSIT vol.14 (2011) © (2011) IACSIT Press, Singapore 101