skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Statistical fingerprinting for malware detection and classification

Abstract

A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices.

Inventors:
;
Publication Date:
Research Org.:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1214592
Patent Number(s):
9,135,440
Application Number:
13/955,784
Assignee:
UT-Battelle, LLC (Oak Ridge, TN)
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Patent
Resource Relation:
Patent File Date: 2013 Jul 31
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING

Citation Formats

Prowell, Stacy J., and Rathgeb, Christopher T. Statistical fingerprinting for malware detection and classification. United States: N. p., 2015. Web.
Prowell, Stacy J., & Rathgeb, Christopher T. Statistical fingerprinting for malware detection and classification. United States.
Prowell, Stacy J., and Rathgeb, Christopher T. 2015. "Statistical fingerprinting for malware detection and classification". United States. https://www.osti.gov/servlets/purl/1214592.
@article{osti_1214592,
title = {Statistical fingerprinting for malware detection and classification},
author = {Prowell, Stacy J. and Rathgeb, Christopher T.},
abstractNote = {A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices.},
doi = {},
url = {https://www.osti.gov/biblio/1214592}, journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Sep 15 00:00:00 EDT 2015},
month = {Tue Sep 15 00:00:00 EDT 2015}
}

Works referenced in this record:

Behavioral detection of malware: from a survey towards an established taxonomy
journal, February 2008


Countering code-injection attacks with instruction-set randomization
conference, January 2003

  • Kc, Gaurav S.; Keromytis, Angelos D.; Prevelakis, Vassilis
  • CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 272-280
  • https://doi.org/10.1145/948109.948146