An Improved Process Supervision and Control Method for Malware Detection

Abstract

Most modern-day malware detection methods and algorithms are based on prior knowledge of malware specifications. Discovering new malwares by solely relying on computer based automatic solutions with no human intervention currently appears out of reach. Many malwares never decode harmful parts of their code until the triggering of a specific event. Others detect virtual machine or sandbox environments and hide their true nature. Detecting these kinds of malwares-specifically multi evented ones-are nearly impossible for fully automatic detection methods. Previous research found that about 75% of malwares studied did not react in a fully automatic environment without user intervention thus being undetectable. This paper introduces a near automated solution to detect malwares quickly by relying on a supervision and control method based on user level capabilities of the operating system. Improving on previous methods, this research can replace the need for debugging new malwares in almost all aspects. This solution forces malwares in automated environments to activate and be discoverable. Researcher intervention during malware code execution along with the malware’s intent over calling sensitive operating system functions and parameters aid this process. Since operating system functions are virtualized malwares are incapable of physically harming the system during execution. The solution reached 98% overall accuracy in conjunction with reducing code size by 80% in comparison with similar techniques, improving simplicity and reliability.