Bitte warten...
Bitte warten...
English
Hilfe
Login
Forschungsportal
Suche
Forschungsprofile
Forschungsprojekte
Projektvollmacht
Lehre
Forschung
Organisation
Pathfinder - Malicious Code Analysis and Detection
01.03.2007 - 30.09.2009
Forschungsförderungsprojekt
Malware, such as viruses, worms, or spyware, is defined as software that fulfills the deliberately harmful intent of an attacker when run. Current systems to detect malicious code (such as virus scanners) are mostly based on syntactic signatures, which specify byte sequences that are characteristic for a particular malware instance. Unfortunately, this approach necessitates frequent updates to the signature database and lacks the ability to identify malware code that mutates while reproducing or spreading across the network. In this project, we research techniques to obtain a more general and robust description of malicious code that is not affected by syntactic changes. In particular, the goal is to develop techniques to analyze and capture the behavior of binary code. A behavioral description is more abstract and semantically rich than syntactic signatures and allows us to detect entire classes of malware instead of individual instances. The behavior of a program is expressed in terms of its interaction with the environment. In particular, we are interested in the system calls that a program invokes. However, we do not only consider the type of calls that are made, but also take into account dependencies between system calls and constraints on their arguments. We propose to develop Minesweeper, a system that is capable of extracting the behavior of unknown executables by generating characteristic system call profiles. To this end, the system has to fulfill two tasks. The first task is to determine which system calls an unknown executable can invoke. We aim to use dynamic code analysis and explore multiple execution paths to obtain a comprehensive set of system call traces. Based on these traces, the second task is to derive a profile that extracts the characteristic subset of system calls, together with their dependencies and arguments. Characteristic profiles of malware programs can be used by human analysts to quickly understand the purpose of malicious code and to reveal its hidden functionality. In addition, these profiles allow a virus scanner to automatically detect obfuscated variations of malware programs and even novel instances.
Personen
Projektleiter_in
Wolfgang Kastner
(E183)
Subprojektleiter_in
Christopher Krügel
(E183)
Projektmitarbeiter_innen
Manuel Egele
(E183)
Hanno Fallmann
(E183)
Christoph Karlberger
(E183)
Engin Kirda
(E183)
Clemens Kolbitsch
(E183)
Paolo Milani Comparetti
(E183)
Andreas Moser
(E183)
Thomas Otterbein
(E183)
Daniel Scheidle
(E183)
Martin Szydlowski
(E183)
Peter Wurzinger
(E183)
Institut
E183 - Institut für Rechnergestützte Automation
Förderungsmittel
FFG - Österr. Forschungsförderungs- gesellschaft mbH (National)
Österreichische Forschungsförderungsgesellschaft mbH (FFG)
Forschungsschwerpunkte
Information and Communication Technology
Schlagwörter
Deutsch
Englisch
Sicherheit
Safety
Malware
Malicious Code
Externe Partner_innen
Secure Business Austria Verein zur Förderung der IT-Sicherheit in Österreich
IKARUS Security Software GmbH
Publikationen
Publikationsliste
