Collaborative Research: CT-T: Towards Behavior-Based Malware Detection

合作研究：CT-T：迈向基于行为的恶意软件检测

• 批准号: 0627501
• 负责人: Somesh Jha
• 金额: $ 57万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-01-01 至 2011-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627501&HistoricalAwards=false
• 关键词: Collaborative; Research; CT; Towards; Behavior

Somesh JhaUniversity of Wisconsin, MadisonCollaborative Research: CT T Towards Behavior-Based Malware Detection0627501Panel P060975AbstractMalware is code with malicious intent that can adversely affect thehost on which it executes or the network over which they aretransmitted. A malware detector classifies a program as malware orbenign. Malware writers continuously test the limitations of malwaredetectors in an attempt to discover techniques to evadedetection. This leads to an arms race, where malware writers find newways to create malware that are undetected by commercial malwaredetectors, and where researchers working on malware detection respondby devising new detection techniques. Attackers create new malwareusing two main approaches: program obfuscation and evolution. There isstrong evidence that malware writers are using obfuscation andevolution because the number of new malware families is growing at amuch slower rate than the number of malware instances. For example,according to Symantec threat reports, in the first half of 2005 therewere 10,866 new virus and worm variants but only 170 new families ofmalware. This data also indicates that signature-based techniques formalware detection will not be able to cope with the increase in thenumber of malware instances. Recent results by one of the PIs alsosuggests that current commercial malware detectors are not resilientto obfuscation and evolution techniques used by malware writers. Allthis evidence clearly suggests that we need a new approach to malwaredetection.We propose to explore behavior-based malware detection: our algorithmfocuses on detecting malicious behavior (such as mass-mailing behaviorused by certain worms) rather than searching for syntacticpatterns. We specify malicious behavior in a formal language and thenperform static analysis on the code to determine whether it containsthe specified behavior. Prior work by the investigators demonstratedthat this behavior-based malware detector can detect families ofmalware using a single specification. However, there are challengesthat need to be addressed in the context of behavior-based malwaredetection. We propose tasks to address these challenges. Solutions tothe proposed tasks will lead to malware detection techniques that willresist evasion techniques used by malware writers better than existingmalware detectors. Behavior-based malware detectors can also detectnew malware that are variants of old malware..

威斯康星州的Somesh Jhauniversity，MadisonCollaborative Research：CT ting基于行为的恶意软件检测0627501PANEL P060975ABSTRACTMALWARE是具有恶意意图的代码，可以不利地影响其执行或网络对其进行的网络的主机。 恶意软件检测器将程序分类为恶意软件Orbenign。恶意软件作者不断测试麦道索轨道的局限性，以发现远离挖掘技术的技术。这导致了一场军备竞赛，恶意软件作者找到了新的通道来创建未经商业恶性视机未发现的恶意软件，以及从事恶意软件检测的研究人员，响应了设计新的检测技术。攻击者创建新的恶意软件，从而产生两种主要方法：程序混淆和演变。由于有恶意软件作家正在使用混淆和进化的证据，因为新恶意软件系列的数量比恶意软件实例的数量要慢。例如，根据Symantec威胁的报告，在2005年上半年，有10,866个新病毒和蠕虫变种，但只有170个新的Malware系列。该数据还表明，基于签名的技术正式软件检测将无法应对恶意软件实例的递增。当前的商业恶意软件探测器并非有韧性和恶意软件作家使用的进化技术，PIS Alsosuggest之一的最新结果是。 Allthis的证据清楚地表明，我们需要一种新的方法来进行MalwaredEtection。我们建议探索基于行为的恶意软件检测：我们的算法检测恶意行为（例如某些蠕虫使用的大规模填充行为），而不是搜索语法模型。我们以形式语言指定恶意行为，然后对代码进行静态分析，以确定其是否包含指定的行为。调查人员的先前工作证明了基于行为的恶意软件检测器可以使用单个规范检测到的污垢家族。但是，需要在基于行为的麦道挑选的背景下解决挑战。我们建议解决这些挑战的任务。 解决方案提议的任务将导致恶意软件检测技术，而恶意软件作者使用的逃避技术将比现有的摩托车检测器更好。基于行为的恶意软件探测器还可以检测到旧恶意软件的变体的恶意软件。