Signature-based malware detection using sequences of N-grams

Abstract

The focus of our study is on one set of malware family known as Brontok worms. These worms have long been a huge burden to most Windows-based user platforms. A prototype of the antivirus was able to scan files and accurately detect any traces of the Brontok malware signatures in the scanned files. In this study, we developed a detection model by extracting the signatures of the Brontok worms and used an n-gram technique to break down the signatures. This process makes the task to remove redundancies between the signatures of the different types of Brontok malware easier. Hence, it was used in this study to accurately differentiate between the signatures of both malicious and normal files. During the experiment, we have successfully detected the presence of Brontok worms while correctly identifying the benign ones. The techniques employed in the experiment provided some insight on creating a good signature-based detector, which could be used to create a more credible solution that eliminates any threats of old malware that may resurface in the future.