Registration - It's Free, Join Now

Behavior-Based Malware Detection

In recent years, viruses and worms have started to pose threats at Internet scale in an intelligent, organized manner, enrolling millions of unsuspecting and unprepared PC owners in spamming, denial-of-service, and phishing activities. In January 2007, Vint Cerf stated that "of the 600 million computers currently on the Internet, between 100 and 150 million were already part of these botnets." A botnet is a network of malware-infected machines that are under the control of one attacker. The fundamental cause of the current situation is the limitations inherent in current detection technologies. Commercial virus scanners have low resilience to new attacks because malware writers continuously seek to evade detection through the use of obfuscation. Any malware-detection technique that can counter these attacks must be able to (1) identify malicious code under the cover of obfuscation and (2) provide some guarantee for the detection of future malware. In my talk, I present a new approach to the detection of malicious code that addresses these requirements by taking into account the high-level program behavior without an increase in false positives. The cornerstone of this approach is a formalism called malspecs (i.e., specifications of malicious behavior) that incorporates instruction semantics to gain resilience to common obfuscations. Experimental evaluation demonstrates that our behavior-based malware-detection algorithm can detect variants of malware due to their shared malicious behaviors, while maintaining a relatively low run-time overhead (a requirement for real-time protection). Additionally, the malspec formalism enables reasoning about the resilience of a detector. In this context, I present a strategy for proving the soundness and completeness of detection algorithms.