Skip to main content
SpringerLink
Log in

Structural analysis of binary executable headers for malware detection optimization

  • Correspondence
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In the context of the OpenDAVFI project (a fork of the French initiative DAVFI for giving birth to a new generation, open antivirus engine which has been funded by the French Government), different AV filters have been developped and chained to detect both known and unknown malware very accurately while requiring a very limited number of updates. While most AV software use different static and dynamic detection techniques which are mostly based on the general concept of (static or heuristic) signature, we have observed that many malware do not comply to the Microsoft specifications with respect to the MZ-PE format. In this technical correspondence, we present structural analysis tests which have been implemented in the DAVFI/OpenDAVFi project. These tests accurately detect malware and therefore greatly reduce the number of malware that have to be analyzed by subsequent modules in our detection chain.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

References

  1. David, B., Filiol , E., Gallienne, K.: Heuristic and proactive IAT/EAT-based detection module of unknown malware. In: Proceedings of the European Conference on Information Warfare and Security (ECCWS’16), Germany (2016)

  2. Das, S.: Mz = zm? (2008). http://winprogger.com/?p=53. Accessed 16 Apr 2014

  3. Dechaux, J., Filiol, E.: Proactive defense against malicious documents. Formalization, implementation and case studies. J. Comput. Virol. Hacking Tech. (2016). (To appear. Special Issue on Knowledge-based System and Security, Roy Park Editor)

  4. Ferrand, O., Filiol, E.: Combinatorial detection of malware by IAT discrimination. J. Comput. Virol. Hacking Tech. 12(3) (2016). doi:10.1007/s11416-015-0257-8

  5. Microsoft: Microsoft PE and COFF specification (2013). http://msdn.microsoft.com/en-us/library/gg463119.aspx. Accessed 16 Apr 2014

  6. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Laboratoire de Cryptologie et de Virologie Opérationnelles, ESIEA, Laval, France

    Baptiste David, Eric Filiol & Kévin Gallienne

Authors
  1. Baptiste David
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Filiol
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kévin Gallienne
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Filiol.

Additional information

This research work has been partially funded by the National Fund for the Digital Society in the context of Investissements d’avenir - Grand Emprunt.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

David, B., Filiol, E. & Gallienne, K. Structural analysis of binary executable headers for malware detection optimization. J Comput Virol Hack Tech 13, 87–93 (2017). https://doi.org/10.1007/s11416-016-0274-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-016-0274-2

Keywords

Search

Navigation