< About VB(Virus Bulletin) Conference >
Over its 17-year history, the VB conference has become a major highlight of the anti-malware calendar, with many of its regular attendees citing it as the anti-malware event of the year. The VB conference provides a focus for the anti-malware industry, representing an opportunity for experts in the anti-malware arena to share their research interests, discuss methods and technologies and set new standards, as well as meet with - and learn from - those who put their technologies into practice in the real world.
Split into two streams, the conference program caters for both technical and corporate audiences, covering a wide range of anti-malware and spam-related subjects. Delegates range from dedicated anti-malware researchers to security experts from government and military organizations, legal, financial and educational institutions and large corporations worldwide.
On Virus Bulletin 2007
I'm very sorry that I could not be there, because of my work-line. but my author Mr hwang, would speak the paper. I hope to see the researchers next time.
Title : ANTI-MALWARE EXPERT SYSTEM
Kyu-beom Hwang and Deok-young Jung AhnLab Inc.
The EXPERT system is a useful approach for analyzing malware or other kinds of software. We designed an anti-malware expert system using our compiled research results.
AMES (AhnLab anti-Malware Expert System) consists of automatic static/dynamic analysis systems, classification technology of malware and non-malware, and environment analysis.
This system helps to minimize human error, or false positive detection.
Diverse approaches, like the technology of malware auto-analysis system and classification malware and static/dynamic analysis technology for malware, were tried by AV/AM researchers. Inference malware from function-signature and dectecting behavior patterns of malware are some of the purposes of AMES. If a sample is a malware, then AVES generates a detecting signature automatically.
Of course, it is difficult to predict all "malicious " codes automatically, but we get useful results using our malware knowledge database.
We think that the core technology is able to judge whether a code is a malware or not, and will be able classify them accordingly. In the traditional virus case, if a virus infected program 'A+V' consists of a safe program 'A' and virus function 'V', and almost all of the functions of 'A+V' are not virus functions, but all functions of 'A+V' are same as 'A', then our AMES will treat it as a virus.
The knowledge database has much information about analysts' studied information, extraction functions and behavioral information on collected virus and non-virus. To make a knowledge database, we have designed three categories. First is a function-based static analysis environment. The second category is a virtual machine based dynamic analysis system, while the last one is a human-based active analysis environment. We designed a generic unpacking method for runtime-packed samples on virtual machines and plug-in runtime debuggers.
The objective of AMES is to help analysts evaluate samples and judge malware as variant or non-malware. ...
AMES uses classification technology and function similarity in collaborative analysis technology.
We will make the system more concrete by using various dynamic analysis technology researches on a virtualization environment.
Full Paper : "