Zu diesem lizenzpflichtigen Artikel gibt es eine Open Access Version, die kostenlos und ohne Lizenzbeschränkung gelesen werden kann. Die Open Access Version kann inhaltlich von der lizenzpflichtigen Version abweichen.
Preisinformation
Bitte wählen Sie ihr Lieferland und ihre Kundengruppe
Described are techniques used for automatic detection of malicious code by verifying that an application executes in accordance with a model defined using calls to a predetermined set of targets, such as external routines. A model is constructed using a static analysis of a binary form of the application, and is comprised of a list of calls to targets, their invocation and target locations, and possibly other call-related information. When the application is executed, dynamic analysis is used to intercept calls to targets and verify them against the model. The verification may involve comparing the invocation and target location, as well as other call-related information, available at the time of call interception to the corresponding information identified by static analysis. A failed verification determines that the application includes malicious code. As an option, once detected, the malicious code may be allowed to execute to gather information about its behavior.