Implementing Selective Signature Scanning to Optimize Malware Detection

Author

Lucas Gray Wilbur, Dartmouth CollegeFollow

Author ORCID Identifier

https://orcid.org/0009-0005-4261-5235

Date of Award

Spring 6-9-2024

Document Type

Thesis (Undergraduate)

Department

Computer Science

First Advisor

Christophe Hauser

Abstract

Signature scanning is one of the oldest types of malware detection, and it remains an essential lightweight detection method for many antivirus programs. However, signature scanning has unavoidable limitations, including an inevitably increasing runtime as malware signature databases continually expand. In this paper, we discuss the current state of signature scanning, including usage of the open-source signature scanning tool YARA. We test Zemlyanaya et al’s assertion that scanning only the beginning and end of files can reduce the runtime cost of signature database expansion — while maintaining a high level of accuracy — and find it inaccurate in the case of general scanning. However, by examining the behavior of specific rules during head-and-foot scanning, we argue that head-and-foot scanning can provide large runtime improvements with minimal accuracy loss, but only for a specific subset of malware signatures. Finally, we argue for further investigation into the prevalence of malware signatures amenable to head-and-foot scanning, as this may enable analysts to improve the runtime of malware detection tools.

Recommended Citation

Wilbur, Lucas Gray, "Implementing Selective Signature Scanning to Optimize Malware Detection" (2024). Computer Science Senior Theses. 46.
https://digitalcommons.dartmouth.edu/cs_senior_theses/46