Cryptographic hashing for virus localization

  • Authors:

  • Giovanni Di Crescenzo;Faramak Vakil

  • Affiliations:

  • Telcordia Technologies, Piscataway, NJ;Telcordia Technologies, Piscataway, NJ

  • Venue:
  • Proceedings of the 4th ACM workshop on Recurring malcode
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

Virus detection is an important problem in the area of computer security. Modern techniques attempting to solve this problem fall into the general paradigms of signature detection and integrity checking. In this paper we focus on the latter principle, which proposes to label an executable or source file with a tag computed using a cryptographic hash function, which later allows to detect if any changes have been performed to the file. We suggest to extend this principle so that not only changes to the file are detected, but also these changes are localized within the file; this is especially useful in the virus diagnostics which can then focus on the localized area in the file rather than the entire file. This implicitly defines an apparently new problem, which we call ``virus localization''. We design techniques to solve the virus localization problem based on repeated efficient applications of cryptographic hashing to carefully chosen subsets of the set of file blocks, for each of the most important and known virus infection techniques, such as rewriting techniques, appending and prepending techniques, and insertion techniques.