TC: Small: Discovering Designer Intent through Dynamic Analysis of Malware

TC：小：通过恶意软件的动态分析发现设计者的意图

• 批准号: 0916061
• 负责人: Michel Cukier
• 金额: $ 15万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2011-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0916061&HistoricalAwards=false
• 关键词: TC; Small; Discovering; Designer; Intent

The proposed research addresses the problem of identifying and providing source code-based understanding of obfuscated malcode plaguing the Internet. Obfuscated malcode presents a clear and present danger to today?s society in terms of individual privacy, security as well as to the Internet?s overall trustworthiness. Attackers continue to use obfuscation to successfully defeat attempts by defenders to prevent infection or spread of the malcode. The goal of the research will be to develop dynamic binary analysis processes for Internet worm executables. These processes will be used to create a reverse engineering framework to create assembly code from worm machine code and in turn create associated control and data flow graphs. Generalizations of instruction sequences, known as motifs, are extracted from these graphs using new techniques based in part on program slicing and will be applied against models of worm behavior described in terms of state machine, decision tree or family tree models; partial or complete matching against these models will yield knowledge of worm interactions with its target environment, its obfuscation techniques and its means of command, control and update by the attacker.This research will help to assess if control and data flow graphs can represent any obfuscated malcode. In case some malcode cannot be represented using these graphs, other representations will be investigated. The accuracy of the malcode representation will be evaluated since the representation will be based mainly on system call analysis. Finally, several combinations of static and dynamic analyses will be studied to assess the impact on the malcode representation details.

所提出的研究解决的问题，识别和提供基于源代码的理解混淆恶意代码的互联网。混淆的恶意代码对今天来说是一个明确而现实的危险？的社会在个人隐私，安全以及互联网方面？的整体可信度。攻击者继续使用模糊处理来成功击败防御者阻止恶意代码感染或传播的尝试。这项研究的目标将是开发动态二进制分析过程的互联网蠕虫可执行文件。这些过程将被用来创建一个逆向工程框架，从蠕虫机器代码中创建汇编代码，进而创建相关的控制和数据流图。使用部分基于程序切片的新技术从这些图中提取被称为基序的指令序列的概括，并将其应用于根据状态机、决策树或家谱模型描述的蠕虫行为模型;与这些模型的部分或完全匹配将产生蠕虫与其目标环境的交互的知识，其混淆技术和其命令手段，这项研究将有助于评估控制和数据流图是否可以表示任何混淆的恶意代码。如果某些恶意代码无法使用这些图形表示，则将研究其他表示。将评估恶意代码表示的准确性，因为表示将主要基于系统调用分析。最后，将研究静态和动态分析的几种组合，以评估对恶意代码表示细节的影响。