International Conference on Test, Measurement and Computational Method (TMCM 2015)

Study of an Anti-Virus Framework

Ming Zhang1,2 and Wei Chen1
1
School of Information Engineering, Wuhan University of Technology, Wuhan, China
2
Linyi University, Shandong, China

Abstract—Commercial anti-virus software has been extended to worms, and Trojan virus. Because of hardening the antivirus
anti-virus engine matching signature works, this method can engine code to the embedding device adds to the cost of the
accurately detect the known viruses. The study of anti-virus upgrade code, the requirement for antivirus engine is more
technology of the foreign scholars focuses on the following aspects, flexible expansibility. In order to improve the scalability of
improving the ability of antivirus software to detect unknown anti-virus software, firstly, we make decoupling of the engine
viruses, solving the deformation of polymorphic viruses against with signature database. Secondly, we decompose each test
signature matching problem, and improving the efficiency of the module of antivirus engine and design a fine-grained detection
signature matching algorithm. In order to prevent the virus cause module. Literature mainly points out that the existing
damage, select the VMWare configuration of the Windows xp
disadvantages of antivirus engine design and proves that the
virtual machine as a test environment. Selecting gray pigeons
virus spread widely for experiment.
detection module has decomposability theoretically, but
without the introduction of key technology and performance
Keywords-anti-virus framework; intelligent feature codes; anti- analysis.
virus; aotm-detection activities

I. INTRODUCTION
Commercial anti-virus software has been extended to anti-
virus engine matching signature works, this method can
accurately detect the known viruses. The study of anti-virus
technology of the foreign scholars focuses on the following
aspects, improving the ability of antivirus software to detect
unknown viruses, solving the deformation of polymorphic
viruses against signature matching problem, and improving the
efficiency of the signature matching algorithm. Domestic
scholars focus on the calculation model, the computer virus
propagation model and evolution model, and other areas of the
theory]. The research of antivirus engine makes the industry
protect the core competitiveness. However, antivirus engine as
antivirus software core modules in solving various kinds of
problems of the anti-virus technology is involved in the design
of the engine, it is hard to convert the theoretical research into
practical applications. Therefore, the scholars need to pay
attention to the study of the anti-virus engine. In literature [9], FIGURE I. FILE TYPE TESTING ACTIVITY DIAGRAM.
the disadvantage of the traditional antivirus engine is analyzed,
which indicates that the traditional antivirus engine using fixed As shown in figure 1, let determine file type of activity is
detection logic has its defects of lack of atomic testing activity, P1, unpack activities is P2, virtual machine testing activities is
and the antivirus engine and signature data database has strong S1, signature matching activities is S2, sequence L1 = {P1, P2,
coupling relationship. In addition, the antivirus engine test S1, S2} denote a detection logic, L1 describe a complete
control coupling between the two modules is higher, it is hard process. As follows: first to determine the type of the file to be
to update the detection module timely. At present, the detected, then the judgment of pack and pack type, again by
computer virus makers have been fused variety of the attack unpack activity processing, after the success of the unpack, if it
techniques, constantly created behavior unique virus. Without is multiple state to send the virus to the virtual machine
timely extension of detection module, antivirus vendors often processing, the final signature matching. We can be intuitive to
face the embarrassing issue for killing tools. Another aspect, see the disadvantages of traditional antivirus engine from
the anti-virus technology showed the trend of the development diagram.
of the embedded direction. Network equipment maker
provides the antivirus module in the router, such as, H3C
provides ASM (Anti-Virus Security Module) antivirus module.
ASM is installed on the H3C router for on-line detection of
through traffic and filters the information carried in viruses,

© 2015. The authors - Published by Atlantis Press 170

 II. FRAMEWORK DESIGN SCHEME Virusbehavior struct

A. The Structure of the Extensible Framework Behavior flag db ?

ModiFilebhInfo word ?
SPM DLGM
RS ModiRegInfo word ?
ProcInfo word ?
TimeInfo word ?
Reserved word ?
Virusbehavior ends.
KMM Engine control code of 3 bytes, respectively represent
ADAS scanning object control information, engines work behavior
control information and scan control information. Scanning
the object control information is that the scope of the scanning,
such as RAM, DBR, specific folders. Engine control
information shows that how to deal with the testing results of
DLPM the work behavior, such as alarm, isolation, directly deleted,
restart the delete, etc. Degree of scan information indicates
whether in-depth scanning.
FIGURE II. FRAMEWORK ARCHITECTURE DIAGRAM.
EngineCtlInfo struct
DLGM is a key part in the whole extensible framework, is
responsible for receiving the output results of the SPM, Objctlflag db ?
convert a disordered atomic testing activities subset into Behaviorflag db ?
effective Detection Logic, new detection logic must meet the Effectflag db ?
concurrency and dependence. RS (Rule Set) provide rule sets EngineCtlInfo ends.
used by detection logic. DLPM (Detection Logic Perform Virus signature code is the same as the traditional virus
Module) receive inspection activities of the output of the signature code, extracting the string of the virus code as
DLGM perform for a particular virus. ADAS (Aotm - matching basis. Therefore, intelligent feature codes as follows:
Detection Activities Set) is the most basic testing Activities,
receives commands from KMM management, can realize real- InteligentVirSig struct
time updates. uVirBehavior Virusbehavior <>
In order to verify the validity of the design scheme, at the uEngCtl EngineCtlInfo <>
same time decrease the difficulty of the realization of the uVirBody Sig VirusSig <>
design, on the basis of the open source antivirus software InteligentVirSig ends.
AnSav prototype system is realized. AnSav written in Win32
assembly language, signature matching is realized by using C. The Key Algorithm Description
classical BM algorithm [10]. Decomposing inspection (b) Detection logic generation algorithm
activities on the basis of AnSav. For example, UPX.ASM
unpack module realizes three classic ASPACK, UPX, The algorithm is executed in the DLGM module, the use of
PEcompact unpack algorithm respectively, encapsulates three rules and signature generate specific virus detection logic L.
unpack algorithm to form three DLLS, adding new unpack test To traverse the first testing activities set SETa, system
need to add new DLL file. according to the type of testing activities establishes
processing P, scanning th S, clear C three queue; Order
B. Intelligent Feature Codes according to the P, S, C merge into total queue QSet, and
specific detection in traverse QSet activity; Adjust QSet
Intelligent feature codes is the key to realize the engine
according to the rules of the order of testing activities, the
decoupling, difference of intelligent feature codes and
adjusted of queue QSet for a detection logic L.
ordinary signature in carry the virus guide engine dynamic
adjustment behavior information, using the behavior of the Input: Sig, SETa
specific virus information dynamic adjustment detection logic
to realize inversion of control, control coupling becomes Output: Detection logic L
interface coupling. Intelligent signature consists of three parts, (1) Begin
respectively there are specific behavior code, engine control (2) For each aseti in SETa
code, virus signature code. Specific behavior code describes (3) Switch(aseti.type):
the behavior characteristics of the virus, total 11 bytes. The (4) Case P:
first bytes for a sign, the rest of the four words represent the (5) enPqueue(aseti);break;
operation file system behavior of virus, operation the registry
(6) Case S:
behavior, behavior and time behavior, the last word as
(7) enSqueue(aseti);break;
extensions to retain. The second, it is the engine control code,
as follows: (8) Case C:

171
 (9) enCqueue(aseti);break; detection logic execution process is as follows: first, call
(10)EndCase. Unpack04.dll hulled, again call Decrptor2.dll, finally by the
(11)EndFor detection of virus signature matching module. From the above
(12)For each Qi in QSet example shows that detect a new virus or variations virus
(13) Mergequeue(Qi); process only need to update the corresponding feature
(14)EndFor database, rule base and add new test module, the antivirus
(15)For each aj in QSet engine does not make any modify code layer, illustrate the
(16) For each ri in Ruleset engine frame has good expansibility.
(17) IF Match(ri, aj)==True
(18) Adjust aj in QSet based on ri; B. Performance Analysis
(19) EndFor Because the engine can be adjusted dynamically, improve
(20) EndFor the scalability of the system, and the scalability of
(21) L←QSet; performance for validation. Prepare for the test data, the
choice is between 30 k to 1 M 2000 size of executable files, in
III. SIMULATION EXPERIMENT 200 files random add case processing, polymorphic
deformation process and the write packers encryption
In order to prevent the virus cause damage, select the
processing; Written in the guarantee the packers cryptographic
VMWare configuration of the Windows xp virtual machine as
operations can't use the current shell shell program, you must
a test environment. Selecting gray pigeons virus spread widely
use the hulling and decryption program written by
for experiment, because gray pigeons is a typical independent
preprocessing before detection. Will gray pigeons, such as
Trojan virus, representative; Second, only to start the file scan
more than 10 kinds of virus in the 2000 executive file, than the
module can detect effectively independent Trojan virus, is
average in a single file Tave for performance parameters,
suitable for analyzing the performance of the anti-virus engine.
Ttotal to full scan time, F for scanning the number of files,
such as type 1.
A. The Effectiveness of the Extensible
First of all, design verification prototype system scalability
experiment. Ideas are as follows: to modify the first gray T ave  T total F 
pigeons simulation code variants of the virus, and then add a
new atomic testing activity to variant virus. If to detect a new
virus without modifying the engine code layer, it is in line 130
with the software design of the open closed principle, Ansav
Prototype
prototype system has a good scalability. 120

First of all, through the new packer and encryption

Average File detect Time (ms)

110
algorithm generates gray pigeons variant. Using the prototype
had no packer WWPACK32 pack, then its encryption, to 100
ensure that the variations of gray pigeons G_Server.dll can
avoid prototype system hulling and decryption. In order to 90
detect variations of gray pigeons, new module must be
extension of prototype system, the modification process is as 80
follows: first, the new unpack module Unpack04.dLL and the
decryption module Decrptor2.dll is added to the prototype 70
EASet, second, to increase the three detection rules into RS, as
follows: 60
0 100 200 300 400 500 600 700 800 900 1000
R1:IF Sig.Pack==04 then <a031,S1>; Number of File

R2: IF Sig.Encryp == 02 then <a037,S1> FIGURE I. SINGLE FEATURE CODES AND DETECT FILE CASES,
PERFORMANCE COMPARISON.
R3:IF Sig=pack AND Sig= Encryp Then
<aunpack,adecrp> Unable to modify commercial software, so can't compare
Third, to the virus signature database to increase the with commercial software performance. With AnSav and as a
behavior of the new virus signature, such as Sig = <... , 04,... representative of the traditional engine prototype system.
02 >. Serial number 04 in the vector Sig is packers algorithm, Prototype system of a single file scanning time T is divided
packer said the virus algorithm for WWPACK32, 02 said into two parts, the pattern matching time Tm and engine
encryption algorithm sequence number. Pretreatment testing tuning is Te, such as type 2.
activities a031 in the rules of the R2 corresponds with n n
Unpack04.dll module, pretreatment testing activity a037 T  T 0 m   T i e   Tmi
corresponds with Decrptor2.dll, S1 corresponding signature i 0 i 0

matching module. 3.4.2 prototype implementation algorithm Tm is the time signature matching, Tei (0 < I < n) is an
generated after detection logic < < a031, a037 >, S1 >, the intelligent signature Sigi detection logic time adjust engine, n

172
for behavior characteristic code number. In order to study the minority. The number of files to be detected for 100-2000, the
effect of adjusting time of the prototype engine on proportion of ordinary signature with intelligent feature codes
performance, to a single virus signature scanning multiple for 100:5, the total number of feature codes for 105.
executable experiment. Figure 1 shows, at the beginning of the
test (that is, the test file number less than 100) prototype 125
testing time is longer than conventional engine so, because AnSav
traditional antivirus engine is a static model, there is no engine 120 Prototype
adjustment time. This phenomenon is consistent with the
theoretical analysis results. In later period, along with the
115

Average File Detect Time(ms)

increase in testing the number of files, in part through packer,
encryption processing of the prototype system of file to be
110
detected, Tm less than Tm of Ansav engine dynamic adjusting
and optimizing the virus detection logic, so the detection
105
performance was improved.
100
136
Ansav
95
134 Prototype

132 90
Average File Detect Time (ms)

130 85
0 200 400 600 800 1000 1200 1400 1600 1800 2000
128 Number of File

126 FIGURE III. PERFORMANCE COMPARISON OF RATIONAL

DISTRIBUTION OF INTELLIGENT FEATURE CODES.
124
Figure 3 shows the comparison results, when testing the
122 number of files more than 1000 more than the detection
performance of AnSav prototype system, shows that when the
120
number of files in delay can adjust engine process, so the
118 prototype system of the overall detection performance is better
5 10 15 20 than that of AnSav. Anyhow, simulation reflects the prototype
Number of Signatures
system can be extended to enhance and improve the detection
FIGURE II. SINGLE TEST FILE WITH THE SIGNATURE CASES, capability of a new virus, under the condition of rational
PERFORMANCE COMPARISON. distribution of intelligent characteristic code number system
overall performance is improved.
Second, in a single file for more signature scanning
performance experiment. Experiment prototype system in ACKNOWLEDGMENT
intelligent feature codes and ordinary signature each accounted
for 50%, AnSav are all common feature codes. Prototype Project supported by the Natural Science Foundation of
system testing time T, such as type 3, Shandong Province, China(Grant No.ZR2014FL008) and the
Scientific and Technical Development Project of
l n n
Linyi(201412016).
T   T j m   T i e   Tm i
j 1 i 1 i 1

L is the common feature code number, signature number n REFERENCES

is intelligence, AnSav single file scan time. Figure 2 shows that [1] G. Eason, B. Noble, and I. N. Sneddon, “On certain integrals of
the detection performance of conventional engine has nothing Lipschitz-Hankel type involving products of Bessel functions,” Phil.
to do with signature number linear growth, but the quantity of Trans. Roy. Soc. London, vol. A247, pp. 529–551, April 1955.
prototype system of intelligent signature has a larger effect on [2] J. Clerk Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., vol.
2. Oxford: Clarendon, 1892, pp.68–73.
the performance. Because, increases linearly with the increase
of intelligent signature number n. Single file signature [3] I. S. Jacobs and C. P. Bean, “Fine particles, thin films and exchange
anisotropy,” in Magnetism, vol. III, G. T. Rado and H. Suhl, Eds. New
matching is the worst, seen by the result of the experiment of York: Academic, 1963, pp. 271–350.
extensible engine performance bottleneck is a dynamic [4] K. Elissa, “Title of paper if known,” unpublished.
adjustment of the engine parts. Reality is need to modify the [5] R. Nicole, “Title of paper with only first word capitalized”, J. Name
detection engine of the virus in the minority, most of the virus Stand. Abbrev., in press.
can still use fixed detection process implementation killing. [6] M. Young, The Technical Writer's Handbook. Mill Valley, CA:
According to related statistics, new Trojan virus in the first half University Science, 1989.
of 2008, 2008, the company launched just 12 virus killing tool.
On the basis of the third performance comparison experiment,
the experiment of intelligent characteristic code number in the

173