Collaborative Research: CT-T: Towards Behavior-Based Malware Detection

合作研究：CT-T：迈向基于行为的恶意软件检测

• 批准号: 0842695
• 负责人: Dawn Song
• 金额: $ 27万
• 依托单位: University of California-Berkeley
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-07-01 至 2012-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0842695&HistoricalAwards=false
• 关键词: Collaborative; Research; CT; Towards; Behavior

Dawn SongCarnegie Mellon UniversityCollaborative Research: CT T Towards Behavior-Based Malware Detection0627511Panel P060975AbstractMalware is code with malicious intent that can adversely affect thehost on which it executes or the network over which they aretransmitted. A malware detector classifies a program as malware orbenign. Malware writers continuously test the limitations of malwaredetectors in an attempt to discover techniques to evadedetection. This leads to an arms race, where malware writers find newways to create malware that are undetected by commercial malwaredetectors, and where researchers working on malware detection respondby devising new detection techniques. Attackers create new malwareusing two main approaches: program obfuscation and evolution. There isstrong evidence that malware writers are using obfuscation andevolution because the number of new malware families is growing at amuch slower rate than the number of malware instances. For example,according to Symantec threat reports, in the first half of 2005 therewere 10,866 new virus and worm variants but only 170 new families ofmalware. This data also indicates that signature-based techniques formalware detection will not be able to cope with the increase in thenumber of malware instances. Recent results by one of the PIs alsosuggests that current commercial malware detectors are not resilientto obfuscation and evolution techniques used by malware writers. Allthis evidence clearly suggests that we need a new approach to malwaredetection.We propose to explore behavior-based malware detection: our algorithmfocuses on detecting malicious behavior (such as mass-mailing behaviorused by certain worms) rather than searching for syntacticpatterns. We specify malicious behavior in a formal language and thenperform static analysis on the code to determine whether it containsthe specified behavior. Prior work by the investigators demonstratedthat this behavior-based malware detector can detect families ofmalware using a single specification. However, there are challengesthat need to be addressed in the context of behavior-based malwaredetection. We propose tasks to address these challenges. Solutions tothe proposed tasks will lead to malware detection techniques that willresist evasion techniques used by malware writers better than existingmalware detectors. Behavior-based malware detectors can also detectnew malware that are variants of old malware..

Dawn Song卡内基梅隆大学合作研究：CT T Towards Behavior-Based Malware Detection 0627511 Panel P060975摘要恶意软件是具有恶意意图的代码，可以对其执行的主机或传输它们的网络产生不利影响。 恶意软件检测器将程序分类为恶意软件或良性程序。恶意软件编写者不断测试恶意软件检测器的局限性，试图发现逃避检测的技术。这导致了一场军备竞赛，恶意软件编写者找到了新的方法来创建商业恶意软件检测器无法检测到的恶意软件，而从事恶意软件检测的研究人员则通过设计新的检测技术做出回应。攻击者创建新的恶意软件使用两种主要方法：程序混淆和进化。有强有力的证据表明，恶意软件作者正在使用混淆和转移，因为新恶意软件家族的数量增长速度远远低于恶意软件实例的数量。例如，根据赛门铁克威胁报告，2005年上半年有10，866种新的病毒和蠕虫变种，但只有170种新的恶意软件家族。这些数据还表明，基于签名的技术形式的恶意软件检测将无法科普恶意软件实例数量的增加。一个PI最近的结果也表明，目前的商业恶意软件检测器不服从恶意软件作者使用的混淆和进化技术。所有这些证据清楚地表明，我们需要一种新的方法来检测恶意软件。我们建议探索基于行为的恶意软件检测：我们的算法专注于检测恶意行为（如某些蠕虫使用的群发邮件行为），而不是搜索语法模式。我们用一种形式化的语言指定恶意行为，然后对代码进行静态分析，以确定它是否包含指定的行为。调查人员先前的工作表明，这种基于行为的恶意软件检测器可以使用单一规范检测恶意软件家族。然而，在基于行为的恶意软件检测的背景下，需要解决一些挑战。我们提出了应对这些挑战的任务。 对所提出的任务的解决方案将导致恶意软件检测技术，将抵制规避技术所使用的恶意软件作家比现有的恶意软件检测器。基于行为的恶意软件检测器还可以检测到旧恶意软件的变种新恶意软件。