VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Automatically generated Win32 heuristic virus detection

William Arnold, Gerald Tesauro
Virus Bulletin conference
September 2000

PDFDownload PDF (82.49Kb) (You need to be registered on forum)
[Back to index] [Comments]


Heuristic classifiers which distinguish between uninfected and infected members of some class of program objects have usually been constructed by hand. We automatically construct multiple neural network classifiers which can detect unknown Win32 viruses, following a technique described in previous work (Kephart et al, 1995) on boot virus heuristics.

These individual classifiers have a false positive rate too high for real-world deployment. We find that, by combining the individual classifier outputs using a voting procedure, the risk of false positives is reduced to an arbitrarily low level, with only a slight increase in the false negative rate. Regular heuristics retraining on updated sets of exemplars (both infected and uninfected) is practical if the false positive rate is low enough.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka