Kyu-beom Hwang, Deok-young Jung AhnLab
The EXPERT system is a useful approach for analysing malware or other kinds of software. We designed an anti-malware expert system using our compiled research results.
AMES (AhnLab anti-Malware Expert System) consists of automatic static/dynamic analysis systems, classification technology of malware and non-malware, and environment analysis. This system helps to minimize human error, or false positive detection.
Diverse approaches, like the technology of malware auto-analysis system and classification malware and static/dynamic analysis technology for malware, were tried by AV/AM researchers. Inference malware from function-signature and dectecting behaviour patterns of malware are some of the purposes of AMES. If a sample is a malware, then AVES generates a detecting signature automatically.
Of course, it is difficult to predict all 'malicious' codes automatically, but we get useful results using our malware knowledge database. We think that the core technology is able to judge whether a code is a malware or not, and will be able classify them accordingly. In the traditional virus case, if a virus infected program 'A+V' consists of a safe program 'A' and virus function 'V', and almost all of the functions of 'A+V' are not virus functions, but all functions of 'A+V' are same as 'A', then our AMES will treat it as a virus.
The knowledge database has much information about analysts' studied information, extraction functions and behavioural information on collected virus and non-virus. To make a knowledge database, we have designed three categories. First is a function-based static analysis environment. The second category is a virtual machine based dynamic analysis system, while the last one is a human-based active analysis environment. We designed a generic unpacking method for runtime-packed samples on virtual machines and plug-in runtime debuggers.
The objective of AMES is to help analysts evaluate samples and judge malware as variant or non-malware. AMES uses classification technology and function similarity in collaborative analysis technology. We will make the system more concrete by using various dynamic analysis technology researches on a virtualization environment.