Funded by: Department of Defense, Defense Advanced Research Projects Agency
Research Partner: Columbia University
Today's commercial antivirus software is based largely on pattern recognition techniques. While effective at identifying known malicious software, this approach is notoriously poor at finding novel attacks. This leaves computer systems highly vulnerable to newly created viruses and Trojan horse programs. To address this problem we explored a number of standard data mining techniques to develop an accurate classifier for previously unseen programs. The classification techniques that we explored were rated by their ability to accurately identify an unknown executable as being malicious or benign. The most successful classification technique that we explored was Naïve Bayes classification. Our successful experiments with this approach led to the development of the BayeScan and Malicious Email Filter prototypes. BayeScan implements a graphical user interface on the Windows platform to enable users to easily scan executables for sign of maliciousness. The Malicious Email Filter integrates with the UNIX procmail system to provide gateway protection against malicious software.