TWC: Small: Understanding Anti-Analysis Defenses in Malicious Code

TWC：小：了解恶意代码中的反分析防御

• 批准号: 1525820
• 负责人: Saumya Debray
• 金额: $ 51.48万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1525820&HistoricalAwards=false
• 关键词: TWC; Small; Understanding; Anti; Analysis

The problem of cyber-security encompasses computer systems of all sizes and affects almost all aspects of our day-to-day lives. This makes it fundamentally important to detect accurately and respond quickly to cyber-threats as they develop. This project aims to develop techniques and tools that can accelerate the process of understanding and responding to new cyber-threats as they develop. The authors of malicious software (malware) usually try to make the malware stealthy in order to avoid detection. In many cases, this involves a variety of techniques aimed at hindering analysis efforts by security analysts; we refer to such techniques as anti-analysis defenses. When confronted by such defenses, security analysts have to identify and disable them in order to observe and understand its real behaviors and thereby develop countermeasures. Current approaches for doing this are slow and cumbersome. This project aims to develop highly general, efficient, and robust automated techniques for speeding up the process of identifying and understanding anti-analysis defenses in malware, with the goal of providing security analysts with tools that can help them respond quickly to new cyber-threats as they develop.Malicious software (malware) usually employs a variety of anti-analysis and anti-tampering defenses to hinder analysis and reverse engineering. Currently, neutralizing such defenses requires a lot of manual intervention and is therefore tedious and time-consuming. This project develops semantics-based techniques to automate most or all of this effort and so accelerate the process of identifying and neutralizing such defenses. The project focusses on analyzing programs that employ a variety of anti-analysis and anti-tampering defenses. In particular, the project will focus on the following research questions:* Detection. How do characterizations of environmental observations translate to detection algorithms for anti-analysis defenses? How can the detection algorithms be made general?* Precision. What factors affect the precision of such detection algorithms? How can the precision be improved?* Performance. Sophisticated analysis of low-level code can be expensive. At the same time, the high volumes of new malware that are encountered make it important for analyses to be efficient. How can such detection algorithms be made efficient enough to be practical?*Stealthy Defenses. How can environment checks be made statically and dynamically stealthy? What are the implications for anti-analysis detection algorithms?In order for such anti-anti-analysis techniques to have longevity, it is important that they be general, i.e., make as few assumptions as possible about the nature or form of the defenses that may have been applied. To this end, the project will articulate explicitly the assumptions underlying the techniques it develops. This can be expected to suggest new directions for research by indicating where assumptions may be weakened or removed. The potential contributions of this research are both technical and societal. The ability to more easily neutralize anti-analysis defenses deployed by malware will allow security researchers to respond to new and emerging malware threats quickly. This will have the effect of limiting the scope of the damage caused by such malware, and improve the security and reliability of our cyber-infrastructure. Additionally, the project will involve graduate and undergraduate students in all aspects of the research and thereby contribute to the development of a highly skilled workforce. Finally, software developed as part of the project will be made available to the broader research community, thereby assisting and supporting other research projects in this area.

网络安全问题涉及各种规模的计算机系统，并影响到我们日常生活的几乎所有方面。这使得准确检测和快速响应网络威胁变得至关重要。该项目旨在开发技术和工具，以加速理解和响应新网络威胁的发展过程。恶意软件（恶意软件）的作者通常试图使恶意软件隐身，以避免检测。在许多情况下，这涉及到各种旨在阻碍安全分析人员的分析工作的技术；我们将这种技术称为反分析防御。当遇到这种防御时，安全分析人员必须识别并禁用它们，以便观察和理解其真实行为，从而制定对策。目前这样做的方法既缓慢又繁琐。该项目旨在开发高度通用、高效和强大的自动化技术，以加快识别和理解恶意软件中的反分析防御的过程，目标是为安全分析师提供工具，帮助他们在新的网络威胁发展时快速响应。恶意软件（malware）通常采用各种反分析和反篡改防御来阻碍分析和逆向工程。目前，消除这种防御需要大量的人工干预，因此既繁琐又耗时。该项目开发了基于语义的技术来自动化大部分或全部工作，从而加快识别和消除此类防御的过程。该项目侧重于分析采用各种反分析和反篡改防御的程序。特别是，该项目将重点研究以下问题：*检测。环境观测的特征如何转化为反分析防御的检测算法？如何使检测算法通用化？*精度。哪些因素会影响这种检测算法的精度？如何提高精度？*性能。对低级代码进行复杂的分析可能代价高昂。与此同时，大量新的恶意软件的出现使得高效的分析变得非常重要。怎样才能使这样的检测算法变得足够高效实用呢？*隐形防御。如何使环境检查静态和动态隐身？反分析检测算法的含义是什么？为了使这种反-反分析技术长寿，重要的是它们是通用的，也就是说，对可能已经应用的防御的性质或形式做出尽可能少的假设。为此目的，该项目将明确地阐明其开发的技术的基础假设。这可以通过指出假设可能被削弱或删除的地方，为研究提出新的方向。这项研究的潜在贡献是技术和社会。更容易消除恶意软件部署的反分析防御的能力将使安全研究人员能够快速响应新的和正在出现的恶意软件威胁。这将限制此类恶意软件造成的损害范围，并提高我们网络基础设施的安全性和可靠性。此外，该项目将涉及研究生和本科生的各个方面的研究，从而有助于高技能劳动力的发展。最后，作为项目一部分开发的软件将提供给更广泛的研究界，从而协助和支持该领域的其他研究项目。