Please wait...
Please wait...
Deutsch
Help
Login
Research Portal
Search
Research Profile
Research Projects
Project authority
Lehre
Forschung
Organisation
Pathfinder - Malicious Code Analysis and Detection
01.03.2007 - 30.09.2009
Research funding project
Malware, such as viruses, worms, or spyware, is defined as software that fulfills the deliberately harmful intent of an attacker when run. Current systems to detect malicious code (such as virus scanners) are mostly based on syntactic signatures, which specify byte sequences that are characteristic for a particular malware instance. Unfortunately, this approach necessitates frequent updates to the signature database and lacks the ability to identify malware code that mutates while reproducing or spreading across the network. In this project, we research techniques to obtain a more general and robust description of malicious code that is not affected by syntactic changes. In particular, the goal is to develop techniques to analyze and capture the behavior of binary code. A behavioral description is more abstract and semantically rich than syntactic signatures and allows us to detect entire classes of malware instead of individual instances. The behavior of a program is expressed in terms of its interaction with the environment. In particular, we are interested in the system calls that a program invokes. However, we do not only consider the type of calls that are made, but also take into account dependencies between system calls and constraints on their arguments. We propose to develop Minesweeper, a system that is capable of extracting the behavior of unknown executables by generating characteristic system call profiles. To this end, the system has to fulfill two tasks. The first task is to determine which system calls an unknown executable can invoke. We aim to use dynamic code analysis and explore multiple execution paths to obtain a comprehensive set of system call traces. Based on these traces, the second task is to derive a profile that extracts the characteristic subset of system calls, together with their dependencies and arguments. Characteristic profiles of malware programs can be used by human analysts to quickly understand the purpose of malicious code and to reveal its hidden functionality. In addition, these profiles allow a virus scanner to automatically detect obfuscated variations of malware programs and even novel instances.
People
Project leader
Wolfgang Kastner
(E183)
Sub project leader
Christopher Krügel
(E183)
Project personnel
Manuel Egele
(E183)
Hanno Fallmann
(E183)
Christoph Karlberger
(E183)
Engin Kirda
(E183)
Clemens Kolbitsch
(E183)
Paolo Milani Comparetti
(E183)
Andreas Moser
(E183)
Thomas Otterbein
(E183)
Daniel Scheidle
(E183)
Martin Szydlowski
(E183)
Peter Wurzinger
(E183)
Institute
E183 - Institut für Rechnergestützte Automation
Förderungmittel
FFG - Österr. Forschungsförderungs- gesellschaft mbH (National)
Österreichische Forschungsförderungsgesellschaft mbH (FFG)
Research focus
Distributed and Parallel Systems: 80%
Computational Intelligence: 20%
Keywords
German
English
Sicherheit
Safety
Malware
Malicious Code
External partner
Secure Business Austria Verein zur Förderung der IT-Sicherheit in Österreich
IKARUS Security Software GmbH
Publications
Publications
