News Archives

Behavior-based Malware Detection

March 8, 2007

  • Date: Thursday, March 8, 2007 
  • Time: 11 am — 12:15 pm 
  • Place: ECE 118

Mihai Christodorescu 
University of Wisconsin

Abstract: In recent years, viruses and worms have started to pose threats at Internet scale in an intelligent, organized manner, enrolling millions of unsuspecting and unprepared PC owners in spamming, denial-of-service, and phishing activities. In January 2007, Vint Cerf stated that “of the 600 million computers currently on the Internet, between 100 and 150 million were already part of these botnets.” A otnet is a network of malware-infected machines that are under the control of one attacker. The fundamental cause of the current situation is the limitations inherent in current detection technologies. Commercial virus scanners have low resilience to new attacks because malware writers continuously seek to evade detection through the use of obfuscation. Any malware-detection technique that can counter these attacks must be able to (1) identify malicious code under the cover of obfuscation and (2) provide some guarantee for the etection of future malware. In my talk, I present a new approach to the detection of malicious code that addresses these requirements by taking into account the high-level program behavior without an increase in false positives. The cornerstone of this approach is a formalism called malspecs (i.e., specifications of malicious behavior) that incorporates instruction semantics to gain resilience to common obfuscations. Experimental evaluation demonstrates that our behavior-based malware-detection algorithm can detect variants of malware due to their shared malicious behaviors, while maintaining a relatively low run-time overhead (a requirement for real-time protection). Additionally, the malspec formalism enables reasoning about the resilience of a detector. In this context, I present a strategy for proving the soundness and completeness of detection algorithms.

Bio: Mihai Christodorescu holds a Bachelor’s degree in Computer Science from University of California at Santa Barbara and a Master’s degree in Computer Sciences from University of Wisconsin, Madison, where he is currently a doctoral candidate. His research is in computer security with a current focus on the detection of malicious software. He is also interested in and has worked on problems in software engineering, program analysis, and formal methods, as well as their applications to security.