Researchers Use Machines To Analyze Malware

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

You can already buy a product that does this

[Anonymous Coward]

Internet Security Systems already provides a product that does this called "Proventia Desktop". Whenever the user tries to run a program, it first boots a virtual machine, runs the program, looks at all these behaviors (opening connections, setting itself as the Run entry in the registry, etc.). When the right combination of behaviors are detected, it marks it as malware and refuses to run it in the real machine. The entire process takes as much time as it would for anti-virus to scan it. It's about 99% effective, which means that it catches almost all 0-day viruses, but it will occasionally let something through (which is why you should probably also have traditional anti-virus as well).