Scott Schneider

Automatic Generation of String Signatures for Malware Detection

Scanning files for signatures is a proven technology, but exponential growth in unique malware programs has caused an explosion in signature database sizes. One solution to this problem is to use string signatures , each of which is a contiguous byte sequence that potentially can match many variants of a malware family. However, it is not clear how to automatically generate these string signatures with a sufficiently low false positive rate. Hancock is the first string signature generation system that takes on this challenge on a large scale. To minimize the false positive rate, Hancock features a scalable model that estimates the occurrence probability of arbitrary byte sequences in goodware programs, a set of library code identification techniques, and diversity-based heuristics that ensure the contexts in which a signature is embedded in containing malware files are similar to one another. With these techniques combined, Hancock is able to automatically generate string signatures with a false positive rate below 0.1%.

Norton Zone: Symantec's Secure Cloud Storage System

Cloud storage services are the way of the future, if not the present, but broad adoption is limited by a stark trade-off between privacy and functionality. Many popular cloud services provide search capabilities, but make only nominal efforts to keep user data fully private. Alternatives that search private user data on an untrusted server sacrifice functionality and/or scalability. We describe Norton Zone, Symantecs secure and scalable public storage system based on our valet security model. Whereas most commercial cloud storage systems secure user data with access control and legal mechanisms, Zones cryptographic techniques provide proven privacy guarantees. This gives users an extra layer of security without compromising functionality. Zones performance is comparable to unencrypted cloud storage systems that support search and sharing. We report on the design of Zone and the lessons learned in developing and deploying it in commercial, distributed datacenters scalable to millions of users.

A Simple, Fast, and Compact Static Dictionary

We present a new static dictionary that is very fast and compact, while also extremely easy to implement. A combination of properties make this algorithm very attractive for applications requiring large static dictionaries: 1 High performance, with membership queries taking O(1)-time with a near-optimal constant. 1 Continued high performance in external memory, with queries requiring only 1-2 disk seeks. If the dictionary has n items in

Modeling goodware characteristics to reduce false positive malware signatures

\left\{ 0, ..., m\!-\!1 \right\}

Selecting malware signatures to reduce false-positive detections

and d is the number of bytes retrieved from disk on each read, then the average number of seeks is

Systems and methods for byte-level context diversity-based automatic malware signature generation

\min\left(1.63, 1 + O\left( \frac{\sqrt{n} \log m}{d} \right)\right)

Selecting malware signatures based on malware diversity

. 1 Efficient use of space, storing n items from a universe of size m in

Systems and methods for searching shared encrypted files on third-party storage systems

n \log m - \frac{1}{2} n \log n + O\left(n + \log \log m\right)

Systems and methods for hashing executable files

bits. We prove this space bound with a novel application of the Kolmogorov-Smirnov distribution. 1 Simplicity, with a 20-line pseudo-code construction algorithm and 4-line query algorithm.