Pathfinder - Malicious Code Analysis and Detection

01.03.2007 - 30.09.2009
Malware, such as viruses, worms, or spyware, is defined as software that fulfills the deliberately harmful intent of an attacker when run. Current systems to detect malicious code (such as virus scanners) are mostly based on syntactic signatures, which specify byte sequences that are characteristic for a particular malware instance. Unfortunately, this approach necessitates frequent updates to the signature database and lacks the ability to identify malware code that mutates while reproducing or spreading across the network. In this project, we research techniques to obtain a more general and robust description of malicious code that is not affected by syntactic changes. In particular, the goal is to develop techniques to analyze and capture the behavior of binary code. A behavioral description is more abstract and semantically rich than syntactic signatures and allows us to detect entire classes of malware instead of individual instances. The behavior of a program is expressed in terms of its interaction with the environment. In particular, we are interested in the system calls that a program invokes. However, we do not only consider the type of calls that are made, but also take into account dependencies between system calls and constraints on their arguments. We propose to develop Minesweeper, a system that is capable of extracting the behavior of unknown executables by generating characteristic system call profiles. To this end, the system has to fulfill two tasks. The first task is to determine which system calls an unknown executable can invoke. We aim to use dynamic code analysis and explore multiple execution paths to obtain a comprehensive set of system call traces. Based on these traces, the second task is to derive a profile that extracts the characteristic subset of system calls, together with their dependencies and arguments. Characteristic profiles of malware programs can be used by human analysts to quickly understand the purpose of malicious code and to reveal its hidden functionality. In addition, these profiles allow a virus scanner to automatically detect obfuscated variations of malware programs and even novel instances.







  • FFG - Österr. Forschungsförderungs- gesellschaft mbH (National) Österreichische Forschungsförderungsgesellschaft mbH (FFG)


  • Information and Communication Technology


MalwareMalicious Code

Externe Partner_innen

  • Secure Business Austria Verein zur Förderung der IT-Sicherheit in Österreich
  • IKARUS Security Software GmbH