A New Malware Detection Method Based on VMCADR in Cloud Environments
Algorithm 1
The basic flow of the MDIFF algorithm.
Input: original memory snapshot, memory snapshot of running test program
Output: MCA file
The old represents the original memory snapshot, the new represents memory snapshot of running test program;
Faster suffix sorting (old)
Return lexicographic order I;
By using the lexicographic order I, find a position pos in old. The pos maximizes the k of new[scan, scan + k] = old[pos, pos + k]
Return len = k+1, offset = pos-scan.
While (scan < newsize)
{
If the length of old[scan, scan + lastoffset] and new[scan, scan + len] does not match with more than 8 bytes then
Divides the forward-extension (lenf) of the former completely match area and the backward-extension (lenb) of the latter completely match area. The remaining part between the two completely match areas is used as MCA (i) (i = 1, 2, ,n)
Return lenf, lenb, MCA (i).
else
continue.
Integrate all MCA (i) areas into one MCA file. And the MCA file obtained is the final output.