Classic anti-virus programmes are more and more reaching their limits. In order that an anti-virus protection can detect a malware, the malware must already be known. Yet, newer and newer malware are appearing and these are changing all the time. This aggravates the updating of databanks of protection – valuable time is passing while damage is being done. The St. Pölten UAS developed a method in the project “MalwareDef” detecting malware by its behaviour – even if it has not appeared beforehand.
Debunking viruses by their behaviour
The research institute for IT-Security at the St. Pölten UAS developed a method in the project “MalwareDef” repelling malware even if it is not listed in the databanks of protection programmes. “Known dangers are listed in a register as in a file for criminals. Yet, we also want to catch those programmes attacking for the first time“, says Paul Tavolato, head of project and research associate at the research institute for IT-Security at St. Pölten UAS.
The basis therefore is the behaviour of the malware whose activities are often quite small: Here and there a file is created or renamed, a programme is started, an external connection is built or certain data is used – activities that each can be run by harmless programmes. “It is a matter of several thousand commands which are neutral as individual cases, but are suspicious combined“, explains Tavolato.
Project “MalwareDef – Malware detection by formal depiction of behaviour“
The project was sponsored by the Austrian Research Promotion Agency FFG in the course of the security research programme KIRAS via means of the Austrian Ministry for Transport, Innovation and Technology. Cooperation partners in the project are the company Ikarus Security Software LLC, the Federal Ministry of National Defence and Sport and the Federal Ministry of the Interior.