25-08-2017, 09:32 PM
ABSTRACT
As the networks are growing larger, so is the amount of viruses that hit the loophole. A relatively new unknown virus is said to cause some damage before being identified and prevented by existing Antivirus Engines since conventional approach is a reactive solution. The need of the hour is a pro “ active solution to avoid this initial damage. It also addresses a distributed updating mechanism, which allows for greater flexibility in detecting the returning viruses.
So the underlying principle is to construct an AV Engine that stimulates our existing system behavior and any file deviating from the system properties defined in the engine becomes suspicious and undergoes further scrutiny. This prototype AV Engine will be based on file patterns also termed as file signatures. They are like the fingerprints used to identify what type of file format a certain file belongs to. These file patterns are basic necessity for characterizing the system behavior. However since numerous file formats exist, initial work is limited to most common file formats and the ways of generating their corresponding file signatures which are to incorporated in AV Engine to mimic system behavior.
The most preferred and accurate way devised to generate file patterns or signatures is by the use of Byte Frequency Algorithm (BFA). It can be used to identify some particular characters in the input file and determine the frequency of occurrence of those characters. Based on this a BFA graph is built that is used to generate required file patterns of an input file format. But BFA varies for different inputs of the same file and hence a safe standard deviation is set for the most frequently occurring characters. More and more inputs of the same file type leads to generation of more accurate file patterns of that file type thus making it a Self Learning Algorithm.
Also if a new or different file type support is to be added to enhance the stimulation of system behavior by the AV engine, then that file typeâ„¢s signature can be generated independently and added in the form of a plug-in. Hence the AV Engine is also said to be Extensible.
In the scenario of a new file being downloaded to the system, its file pattern is matched with existing file patterns in the AV engine database. If a match occurs, it is bypassed as a genuine file; else it undergoes further scrutiny in Heuristics / Behavior module and Emulation module. This illustrates the Modular approach of the engine. Overall the new AV Engine accentuates a new file pattern approach based on BFA for pro-actively detecting the viruses.