CT-T: Using Structural and Behavioral Models to Detect Malware

CT-T：使用结构和行为模型检测恶意软件

• 批准号: 0627783
• 负责人: Giovanni Vigna
• 金额: $ 23.5万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-10-01 至 2008-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627783&HistoricalAwards=false
• 关键词: CT; Using; Structural; Behavioral; Models

Proposal Number: 0627783PI: Giovanni Vigna Institution: University of California, Santa Barbara Title: Using Structural and Behavioral Models to Detect Malware AbstractIn the past few years, malicious software (malware) has evolved and diversified. Simple viruses that attach to existing programs and require action on behalf of a user to execute have evolved into worms that can infectthousands of hosts and disrupt entire networks. Rootkits and Trojan horses have evolved from simple programs that mimic legitimate applications for malicious purposes into sophisticated software components that operate at the OS kernel level, making it difficult to detect and eradicate them. In addition, completely new types of malware, such as spyware and adware, have emerged.Unfortunately, the evolution of malware has not been matched by a corresponding evolution in defense tools. Most malware detection tools are syntax-based and use relatively simple pattern matching techniques. Thesetechniques can only recognize known malware, and, in addition, they can be easily fooled by sophisticated malware that uses obfuscation and polymorphic techniques.To be able to reliably detect sophisticated malware it is necessary to develop analysis techniques that rely on information other than the syntactic structure of the program. Therefore, this research effort will focus ondeveloping novel binary analysis techniques that use structural and behavioral models to detect sophisticated malware. More precisely, the proposed techniques use a composition of static and dynamic analysis to identify code whose behavior is similar to the behavior of malware such as viruses, worms, spyware programs, or rootkits. This approach will allow one to detect previously unseen malware and identify mutations of known malware.

提案编号：0627783 PI：Giovanni Vigna 机构：加州大学，圣巴巴拉分校 职务名称： 使用结构和行为模型检测恶意软件 摘要在过去的几年里，恶意软件（恶意软件）已经发展和多样化。 附着在现有程序上并需要用户采取行动才能执行的简单病毒已经演变成蠕虫，可以感染数千台主机并破坏整个网络。 Rootkit和特洛伊木马已经从模仿合法应用程序用于恶意目的的简单程序演变为在操作系统内核级别运行的复杂软件组件，因此很难检测和根除它们。此外，全新类型的恶意软件（如间谍软件和广告软件）已经出现。不幸的是，恶意软件的发展并没有与防御工具的相应发展相匹配。大多数恶意软件检测工具都是基于语法的，并且使用相对简单的模式匹配技术。这些技术只能识别已知的恶意软件，此外，它们很容易被使用模糊和多态技术的复杂恶意软件所欺骗。为了能够可靠地检测复杂的恶意软件，有必要开发依赖于信息而不是语法的分析技术程序的结构。因此，这项研究工作将集中在开发新的二进制分析技术，使用结构和行为模型来检测复杂的恶意软件。 更确切地说，所提出的技术使用静态和动态分析的组合来识别其行为类似于恶意软件（诸如病毒、蠕虫、间谍软件程序或rootkit）的行为的代码。这种方法将允许人们检测以前看不见的恶意软件，并识别已知恶意软件的突变。