Showing papers on "Trojan published in 2011"

Earth’s Trojan asteroid

Abstract: More than 200 years ago, mathematician Joseph-Louis Lagrange predicted the existence of what became known as Trojan asteroids — small bodies that can stably share the orbit of a planet if they remain near 'triangular points' 60° ahead of or behind it in its orbit. Jupiter has thousands of Trojans; Mars and Neptune have some too. Now Earth is shown to have a Trojan. A search of data collected by NASA's Wide-field Infrared Survey Explorer (WISE) satellite revealed the asteroid 2010 TK7 as a strong candidate, and subsequent optical observations confirm its status as a Trojan companion of Earth, oscillating around the L4 (leading) Lagrange triangular point. It was realized in 1772 that small bodies can stably share the same orbit as a planet if they remain near ‘triangular points’ 60° ahead of or behind it in the orbit1. Such ‘Trojan asteroids’ have been found co-orbiting with Jupiter2, Mars3 and Neptune4. They have not hitherto been found associated with Earth, where the viewing geometry poses difficulties for their detection5, although other kinds of co-orbital asteroid (horseshoe orbiters6 and quasi-satellites7) have been observed8. Here we report an archival search of infrared data for possible Earth Trojans, producing the candidate 2010 TK7. We subsequently made optical observations which established that 2010 TK7 is a Trojan companion of Earth, librating around the leading Lagrange triangular point, L4. Its orbit is stable over at least ten thousand years.

Near-infrared spectroscopy of trojan asteroids: evidence for two compositional groups

Abstract: The Trojan asteroids, a very substantial population of primitive bodies trapped in Jupiter's stable Lagrange regions, remain quite poorly understood. Because they occupy these orbits, the physical properties of Trojans provide a unique perspective on the chemical and dynamical processes that shaped the Solar System. The current study was therefore undertaken to investigate surface compositions of these objects. We present 66 new near-infrared (NIR; 0.7-2.5??m) spectra of 58 Trojan asteroids, including members of both the leading and trailing swarms. We also include in the analysis previously published NIR spectra of 13 Trojans (3 of which overlap with the new sample). This data set permits not only a direct search for compositional signatures, but also a search for patterns that may reveal clues to the origin of the Trojans. We do not report any confirmed absorption features in the new spectra. Analysis of the spectral slopes, however, reveals an interesting bimodality among the NIR data. The two spectral groups identified appear to be equally abundant in the leading and trailing swarms. The spectral groups are not a result of family membership; they occur in the background, non-family population. The average albedos of the two groups are the same within uncertainties (0.051 ? 0.016 and 0.055 ? 0.016). No correlations between spectral slope and any other physical or orbital parameter are detected, with the exception of a possible weak correlation with inclination among the less-red spectral group. The NIR spectral groups are consistent with a similar bimodality previously suggested among visible colors and spectra. Synthesizing the present results with previously published properties of Trojans, we conclude that the two spectral groups represent objects with different intrinsic compositions. We further suggest that whereas the less-red group originated near Jupiter or in the main asteroid belt, the redder spectral group originated farther out in the Solar System. If this suggestion is correct, the Trojan swarms offer the most readily accessible large reservoir of Kuiper Belt material as well as a unique reservoir for the study of material from the middle part of the solar nebula.

TeSR: A robust Temporal Self-Referencing approach for Hardware Trojan detection

Abstract: Malicious modification of integrated circuits, referred to as Hardware Trojans, in untrusted fabrication facility has emerged as a major security threat. Logic testing approaches are not very effective for detecting large sequential Trojans which require multiple state transitions often triggered by rare circuit events in order to activate and cause malfunction. On the other hand, side-channel analysis has emerged as an effective approach for detection of such large sequential Trojans. However, existing side-channel approaches suffer from large reduction in detection sensitivity with increasing process variations or decreasing Trojan size. In this paper, we propose TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to completely eliminate the effect of process noise, thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike existing approaches, it does not require golden chip instances as a reference. Simulation results for three complex designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations.

RON: An on-chip ring oscillator network for hardware Trojan detection

Abstract: Integrated circuits (ICs) are becoming increasingly vulnerable to malicious alterations, referred to as hardware Trojans. Detection of these inclusions is of utmost importance, as they may potentially be inserted into ICs bound for military, financial, or other critical applications. A novel on-chip structure including a ring oscillator network (RON), distributed across the entire chip, is proposed to verify whether the chip is Trojan-free. This structure effectively eliminates the issue of measurement noise, localizes the measurement of dynamic power, and additionally compensates for the impact of process variations. Combined with statistical data analysis, the separation of process variations from the Trojan contribution to the circuit's transient power is made possible. Simulation results featuring Trojans inserted into a benchmark circuit using 90nm technology and experimental results on Xilinx Spartan-3E FPGA demonstrate the efficiency and scalability of the RON architecture for Trojan detection.

A Unified Framework for Multimodal Submodular Integrated Circuits Trojan Detection

Abstract: This paper presents a unified formal framework for integrated circuits (ICs) Trojan detection that can simultaneously employ multiple noninvasive side-channel measurement types (modalities). After formally defining the IC Trojan detection for each side-channel measurement and analyzing the complexity, we devise a new submodular formulation of the problem objective function. Based on the objective function properties, an efficient Trojan detection method with strong approximation and optimality guarantees is introduced. Signal processing methods for calibrating the impact of interchip and intrachip correlations are presented. We define a new sensitivity metric that formally quantifies the impact of modifications to each existing gate that is affected by Trojan. Using the new metric, we compare the Trojan detection capability of different measurement types for static (quiescent) current, dynamic (transient) current, and timing (delay) side-channel measurements. We propose four methods for combining the detection results that are gained from different measurement modalities and show how the sensitivity results can be used for a systematic combining of the detection results. Experimental evaluations on benchmark designs reveal the low-overhead and effectiveness of the new Trojan detection framework and provides a comparison of different detection combining methods.

Trojan data layouts: right shoes for a running elephant

Abstract: MapReduce is becoming ubiquitous in large-scale data analysis Several recent works have shown that the performance of Hadoop MapReduce could be improved, for instance, by creating indexes in a non-invasive manner However, they ignore the impact of the data layout used inside data blocks of Hadoop Distributed File System (HDFS) In this paper, we analyze different data layouts in detail in the context of MapReduce and argue that Row, Column, and PAX layouts can lead to poor system performance We propose a new data layout, coined Trojan Layout, that internally organizes data blocks into attribute groups according to the workload in order to improve data access times A salient feature of Trojan Layout is that it fully preserves the fault-tolerance properties of MapReduce We implement our Trojan Layout idea in HDFS 0203 and call the resulting system Trojan HDFS We exploit the fact that HDFS stores multiple replicas of each data block on different computing nodes Trojan HDFS automatically creates a different Trojan Layout per replica to better fit the workload As a result, we are able to schedule incoming MapReduce jobs to data block replicas with the most suitable Trojan Layout We evaluate our approach using three real-world workloads We compare Trojan Layouts against Hadoop using Row and PAX layouts The results demonstrate that Trojan Layout allows MapReduce jobs to read their input data up to 48 times faster than Row layout and up to 35 times faster than PAX layout

Design and analysis of ring oscillator based Design-for-Trust technique

Abstract: Due to the increasing opportunities for malicious inclusions in hardware, Design-for-Trust (DFTr) is emerging as an important IC design methodology. In order to incorporate the DFTr techniques into the IC development cycle, they have to be practical in terms of their Trojan detection capabilities, hardware overhead, and test cost. We propose a non-invasive DFTr technique, which can detect Trojans in the presence of process variations and measurement errors. This technique can detect Trojans that are inserted in all or a subset of the ICs. It is applicable to both ASICs and FPGA implementations. Circuit paths in a design are reconfigured into ring oscillators1 (ROs) by adding a small amount of logic. Trojans are detected by observing the changes in the frequency of the ROs. An algorithm is provided to secure all the gates, while reducing the hardware overhead. We analyzed the coverage, area and test time overhead of the proposed DFTr technique. To demonstrate its effectiveness in the real world, the proposed technique had been validated by a red-team blue-team approach.

Security Against Hardware Trojan Attacks Using Key-Based Design Obfuscation

Abstract: Malicious modification of hardware in untrusted fabrication facilities, referred to as hardware Trojan, has emerged as a major security concern. Comprehensive detection of these Trojans during post-manufacturing test has been shown to be extremely difficult. Hence, it is important to develop design techniques that provide effective countermeasures against hardware Trojans by either preventing Trojan attacks or facilitating detection during test. Obfuscation is a technique that is conventionally employed to prevent piracy of software and hardware intellectual property (IP). In this work, we propose a novel application of key-based circuit structure and functionality obfuscation to achieve protection against hardware Trojans triggered by rare internal circuit conditions. The proposed obfuscation scheme is based on judicious modification of the state transition function, which creates two distinct functional modes: normal and obfuscated. A circuit transitions from the obfuscated to the normal mode only upon application of a specific input sequence, which defines the key. We show that it provides security against Trojan attacks in two ways: (1) it makes some inserted Trojans benign, i.e. they become effective only in the obfuscated mode; and (2) it prevents an adversary from exploiting the true rare events in a circuit to insert hard-to-detect Trojans. The proposed design methodology can thus achieve simultaneous protection from hardware Trojans and hardware IP piracy. Besides protecting ICs against Trojan attacks in foundry, we show that it can also protect against malicious modifications by untrusted computer-aided design (CAD) tools in both SoC and FPGA design flows. Simulation results for a set of benchmark circuits show that the scheme is capable of achieving high levels of security against Trojan attacks at modest area, power and delay overhead.

An Experimental Analysis of Power and Delay Signal-to-Noise Requirements for Detecting Trojans and Methods for Achieving the Required Detection Sensitivities

Abstract: New validation methods are needed for ensuring integrated circuit (IC) Trust, and in particular for detecting hardware Trojans. In this paper, we investigate the signal-to-noise ratio (SNR) requirements for detecting Trojans by conducting ring oscillator (RO) experiments on a set of V2Pro FPGAs. The ROs enable a high degree of control over the switching activity in the FPGAs while simultaneously permitting subtle delay and transient power supply anomalies to be introduced through simple modifications to the RO logic structure. Power and delay analyses are first carried out across a set of FPGAs using RO configurations that emulate Trojan-free conditions. These experiments are designed to determine the magnitude of process and environmental (PE) variations, and are used to establish statistical limits on the noise floor for the subsequent emulated Trojan experiments. The emulated Trojan experiments introduce anomalies in power and delay in subtle ways as additional loads and series inserted gates. The data from both experiments is used to determine the detection sensitivity of several statistical methods to the transient anomalies introduced by these types of design modifications. A calibration technique is proposed that improves sensitivity to small transient anomalies significantly. Finally, we describe testing techniques that enable high resolution measurements of power and delay to support the proposed calibration and statistics-based detection methods.

Sequential hardware Trojan: Side-channel aware design and placement

Abstract: Various design-for-security (DFS) approaches have been proposed earlier for detection of hardware Trojans, which are malicious insertions in Integrated Circuits (ICs). In this paper, we highlight our major findings in terms of innovative Trojan design that can easily evade existing Trojan detection approaches based on functional testing or side-channel analysis. In particular, we illustrate design and placement of sequential hardware Trojans, which are rarely activated/observed and incur ultralow delay/power overhead. We provide models, examples, theoretical analysis of effectiveness, and simulation as well as measurement results of impact of these Trojans in a hardened design. It is shown that efficient design and placement of sequential Trojan would incur extremely low side-channel (power, delay) signature and hence, can easily evade both post-silicon validation and DFS (e.g. ring oscillator based) approaches.

ODETTE: A non-scan design-for-test methodology for Trojan detection in ICs

Abstract: In this paper, we propose a two-step non-scan design-for-test methodology that can ease detection of an embedded Trojan and simultaneously partially obfuscates a design against Trojan implantations. In the first step, we use Q signals of flip-flops in a circuit to increase the number of reachable states. In the second step, we partition these flip-flops into different groups enhancing the state-space variation. Creation of these new reachable states helps to trigger and propagate the Trojan effect more easily. Experimental results on ISCAS'89 benchmarks show that this method can effectively uncover Trojans which are otherwise very difficult to detect in the normal functional mode. In addition, partitioning the flip-flops of the circuit into different groups and selecting the output (Q or Q) based on input controlled ENABLE signals conceal its actual functionality beyond simple recognition thereby making it difficult for the adversary to implant Trojans.

A System-On-Chip Bus Architecture for Thwarting Integrated Circuit Trojan Horses

Abstract: While the issue of Trojan ICs has been receiving increasing amounts of attention, the overwhelming majority of anti-Trojan measures aim to address the problem during verification. While such methods are an important part of an overall anti-Trojan strategy, it is statistically inevitable that some Trojans will escape verification-stage detection, in particular in light of the increasing size and complexity of system-on-chip (SoC) solutions and the increasing use of third-party designs. In contrast with much of the previous work in this area, we specifically focus on run-time methods to identify the attacks of a Trojan and to adapt the system and respond accordingly. We describe a solution including a bus architecture in which the arbitration, address decoding, multiplexing, wrapping, and other components protect against malicious use of the bus.

Origin and dynamical evolution of Neptune Trojans – II. Long-term evolution

Abstract: Following our earlier work studying the formation of the Neptunian Trojan population during the planet's migration, we present results examining the eventual fate of the Trojan clouds produced in that work. A large number of Trojans were followed under the gravitational influence of the giant planets for a period of at least 1Gyr. We find that the stability of Neptunian Trojans seems to be strongly correlated to their initial post-migration orbital elements, with those objects that survive as Trojans for billions of years, displaying negligible orbital evolution. The great majority of these survivors began the integrations with small eccentricities (e 20°. Dynamical integrations of the presently observed Trojans show that five out of the seven are dynamically stable on time-scales comparable to the age of the Solar system, while 2001 QR322 exhibits significant dynamical instability on time-scales of less than 1 Gyr. The seventh Trojan object, 2008 LC18, was only recently discovered and has such large orbital uncertainties that only future studies will be able to determine its stability.

Eurybates — the only asteroid family among Trojans?

Abstract: We study orbital and physical properties of Trojan asteroids of Jupiter. We try to discern all families previously discussed in literature, but we conclude there is only one significant family among Trojans, namely the cluster around asteroid (3548) Eurybates. It is the only cluster, which has all of the following characteristics: (i) it is clearly concentrated in the proper-element space; (ii) size-frequency distribution is different from background asteroids; (iii) we have a reasonable collisional/dynamical model of the family. Henceforth, we can consider it as a real collisional family. We also report a discovery of a possible family around the asteroid (4709) Ennomos, composed mostly of small asteroids. The asteroid (4709) Ennomos is known to have a very high albedo pV ≃ 0.15, which may be related to a hypothetical cratering e

Detecting a trojan horse

Abstract: A method and apparatus for detected a Trojan in a suspicious software application in the form of at least one electronic file. A computer device determines the source from which the suspicious software application was obtained. A comparison is then made between the source from which the suspicious software application was obtained and a source from which an original, clean version of the software application was obtained. If the sources differ, then it is determined that the suspicious application is more likely to contain a Trojan horse than if the sources were the same.

A near-infrared search for silicates in jovian trojan asteroids

Abstract: We obtained near-infrared (NIR; 0.8–2.5 μm) spectra of seven Jovian Trojan asteroids that have been formerly reported to show silicate-like absorption features near 1 μm. Our sample includes the Trojan (1172) Aneas, which is one of the three Trojans known to possess a comet-like 10 μm emission feature, indicative of fine-grained silicates. Our observations show that all seven Trojans appear featureless in high signal-to-noise ratio spectra. The simultaneous absence of the 1 μm band and the presence of the 10 μm emission can be understood if the silicates on (1172) Aneas are iron-poor. In addition, we present NIR observations of five optically gray Trojans, including three objects from the collisionally produced Eurybates family. The five gray Trojans appear featureless in the NIR with no diagnostic absorption features. The NIR spectrum of Eurybates can be best fitted with the spectrum of a CM2 carbonaceous chondrite, which hints that the C-type Eurybates family members may have experienced aqueous alteration.

Detection of computer network data streams from a malware and its variants

Abstract: Computer network data streams generated by a Trojan program and its variants are detected by receiving a relevance pattern in a client computer. An antivirus in the client computer detects a computer network data stream from the Trojan program communicating with an associated malicious server computer. The antivirus checks the computer network data stream for network characteristics of the Trojan program and one or more of its variants indicated in the relevance pattern. The network characteristics may include the order that HTTP headers and/or commands appear in network communications from the Trojan program and its variants.

Circumventing a ring oscillator approach to FPGA-based hardware Trojan detection

Abstract: Ring oscillators are commonly used as a locking mechanism that binds a hardware design to a specific area of silicon within an integrated circuit (IC) This locking mechanism can be used to detect malicious modifications to the hardware design, also known as a hardware Trojan, in situations where such modifications result in a change to the physical placement of the design on the IC However, careful consideration is needed when designing ring oscillators for such a scenario to guarantee the integrity of the locking mechanism This paper presents a case study in which flaws discovered in a ring oscillator-based Trojan detection scheme allowed for the circumvention of the security mechanism and the implementation of a large and diverse set of hardware Trojans, limited only by hardware resources

Design of hardware trojan horse based on counter

Abstract: With globalization of the semiconductor design and fabrication process, hardware Trojan has become a new threat which risks to the security of integrated circuit. An adversary can design a Trojan to destroy a system or leak confidential information which is difficult for chip validation processes, such as manufacturing test, to detect. To facilitate research in this area, a better understanding of what Hardware Trojans would look like and what impact they would incur to a circuit is required. In this paper, a counter-based hardware Trojan horse within 8 LED marquee circuit is designed and implemented. First, a counter-based Trojan is designed and simulated functionally by ModelSim SE 6.2b. It is difficult to be activated and detected using random stimuli. Next, a marquee circuit is designed in Verilog HDL, which is used as a target circuit to implement and analyze the hardware Trojan. Marquee circuit was simulated by simulation tool, and implemented on a Spartan-3E Starter Kit Board. To this end, we insert the counter-based hardware Trojan into the marquee circuit to implement on a Spartan-3E Starter Kit Board. The experiment's result shows that this type of the hardware Trojan is very flexible, it can be easily embedded in the target circuit and not easily found.

Method for extracting behavior characteristics of Trojan communication based on network data flow analysis

Abstract: The invention relates to a method for extracting the behavior characteristics of Trojan communication based on network data flow analysis. The Trojan communication process is particularly divided into three stages, i.e., a connection establishing stage, a connection keeping non-operation stage and an operating stage. The method comprises the following steps of: at the connection establishing stage, extracting a DNS (Domain Name System) response IP (Internet Protocol) abnormity characteristic and a DNS request flow abnormity characteristic; at the connection keeping non-operation stage, sorting captured TCP (Transmission Control Protocol) data according to a network session and extracting a session statistical characteristic, i.e., the stability of 'heartbeat interval' is smaller than a threshold value; and at the operating stage, sorting the captured TCP data according to the network session and extracting characteristics, including communication duration, the quantity of communication packets, the upload communications volume of a controlled host, the ratio of the quantity of session receiving packets to the quantity of session packets and the ratio of the upload communications volume of controlled end to the download communications volume. By adopting the method, overall detection can be performed on Trojan communication, and high performance and computing efficiency are achieved.

Implementing hardware Trojans: Experiences from a hardware Trojan challenge

Abstract: Hardware Trojans have become a growing concern in the design of secure integrated circuits. In this work, we present a set of novel hardware Trojans aimed at evading detection methods, designed as part of the CSAW Embedded System Challenge 2010. We introduced and implemented unique Trojans based on side-channel analysis that leak the secret key in the reference encryption algorithm. These side-channel-based Trojans do not impact the functionality of the design to minimize the possibility of detection. We have demonstrated the statistical analysis approach to attack such Trojans. Besides, we introduced Trojans that modify either the functional behavior or the electrical characteristics of the reference design. Novel techniques such as a Trojan draining the battery of a device do not have an immediate impact and hence avoid detection, but affect the long term reliability of the system.

DISTROY: detecting integrated circuit Trojans with compressive measurements

Abstract: Detecting Trojans in an integrated circuit (IC) is an important but hard problem. A Trojan is malicious hardware--it can be extremely small in size and dormant until triggered by some unknown circuit state. To allow wake-up, a Trojan could draw a minimal amount of power, for example, to run a clock or a state machine, or to monitor a triggering event. We introduce DISTROY (Discover Trojan), a new approach that can efficiently and reliably detect extremely small background power leakage that a Trojan creates and as a result, we can detect the Trojan. We formulate our method based on compressive sensing, a recent advance in signal processing, which can recover a signal using the number of measurements approximately proportional to its sparsity rather than size. We argue that circuit states in which the Trojan background power consumption stands out are rare, and thus sparse, so that we can apply compressive sensing. We describe how this is done in DISTROY so as to afford sufficient measurement statistics to detect the presence of Trojans. Finally, we present our initial simulation results that validate DISTROY and discuss the impact of our work in the field of hardware security.

Banksafe information stealer detection inside the web browser

Abstract: Information stealing and banking trojans have become the tool of choice for cyber criminals for various kinds of cyber fraud. Traditional security measures like common antivirus solutions currently do not provide sufficient reactive nor proactive detection for this type of malware. In this paper, we propose a new approach on detecting banking trojan infections from inside the web browser called Banksafe. Banksafe detects the attempts of illegitimate software to manipulate the browsers‘ networking libraries, a common technique used in widespread information stealer trojans. We demonstrate the effectiveness of our solution with evaluations of the detection and classification of samplesets consisting of several malware families targetting the Microsoft Windows operating system. Furthermore we show the effective prevention of possible false positives of the approach.

A power analysis based approach to detect Trojan circuits

Abstract: Because of globalization of the semiconductor industry, the IC fabrication is increasingly outsourced. This poses a significant risk for integrated circuits (ICs) used for security critical applications. Attackers can maliciously alter the ICs during fabrication in untrusted foundries. In the case of ICs bought externally, they may have hidden functions that users would never know. These malicious alterations and hidden functions are also referred to as “Hardware Trojan”. It is extremely difficult to discover such Trojan circuits using conventional testing strategies. In this paper, we propose a nondestructive, power analysis based Trojan detection approach which is able to detect Trojan circuits in the presence of large noise. The approach is validated using 90nm FPGA (Xilinx Spartan-3E) chips. Experimental results with a 64-bit Data Encryption Standard (DES) cipher circuit show that Trojans which are 2 orders of magnitude smaller than the DES circuit can be detected by using statistic signal processing techniques.

Hardware Trojan Side-Channels Based on Physical Unclonable Functions

Abstract: The separation design and fabrication process in the semiconductor industry leads to potential threats such as trojan side-channels (TSCs). In this paper we design a new family of TSCs from physical unclonable functions (PUFs). In particular, a dedicated attack on the PRESENT block cipher is described by using our PUF-based TSCs. Finally we analyze the performance of our PUF-based TSCs and discuss other potential applications.

Red team: Design of intelligent hardware trojans with known defense schemes

Abstract: In the past few years, several Trojan detection approaches have been developed to prevent the damages caused by Trojans, making Trojan insertion more and more difficult. As part of the Embedded Systems Challenge (ESC), we were given two different designs with two different Trojan detection methods, and we tried to design Trojans which could avoid detection. We developed Trojans that remain undetectable by the delay fingerprinting and ring-oscillator monitoring Trojan detection methods embedded into these benchmarks. Experimental results on a Xilinx FPGA demonstrate that most of our hardware Trojans were undetected using the inserted detection mechanisms.

Case studies of habitable Trojan planets in the system of HD 23079

Abstract: We investigate the possibility of habitable Trojan planets in the HD 23079 star–planet system. This system consists of a solar-type star and a Jupiter-type planet, which orbits the star near the outer edge of the stellar habitable zone in an orbit of low eccentricity. We find that in agreement with previous studies Earth-mass habitable Trojan planets are possible in this system, although the success of staying within the zone of habitability is significantly affected by the orbital parameters of the giant planet and by the initial condition of the theoretical Earth-mass planet. In one of our simulations, the Earth-mass planet is captured by the giant planet and thus becomes a habitable moon.

A Novel Approach to Trojan Horse Detection in Mobile Phones Messaging and Bluetooth Services

Abstract: A method to detect Trojan horses in messaging and Bluetooth in mobile phones by means of monitoring the events produced by the infections is presented in this paper. The structure of the detection approach is split into two modules: the first is the Monitoring module which controls connection requests and sent/received files, and the second is the Graphical User module which shows messages and, under suspicious situations, reports the user about a possible malware. Prototypes have been implemented on different mobile operating systems to test its feasibility on real cellphone malware. Experimental results are shown to be promising since this approach effectively detects various known malware.