Malicious activity on the Internet is a significant threat to both individuals and institutions. Over the past few years, network honeypots have emerged as an important tool for measuring and understanding the details of cyber attacks. The objective of the proposed research is to stimulate the development of next generation Internet security systems and forensic tools based on automated, indepth analysis of malicious activity and malicious software (malware) observed in network honeypots. The research program to achieve these capabilities will address four critical challenges: (1) efficient malware collection, (2) identification of evasion and obfuscation techniques embedded in the malware, (3) full understanding of malware intent and logic, and (4) the full exercise of malware functionality during runtime execution. The technical approach to address these challenges, which is referred to as Informed Malware Execution (IME), is comprehensive in its use of techniques drawn from a variety of disciplines including network security, forensic analysis, static and dynamic program analysis, and binary instrumentation. The broader impacts of this project are that it will enable a deep understanding of malware logic and execution, and lead to more effective, generalized (non-instance-specific) network security. The expected results of this work include research papers describing new malware analysis methods, prototype software for malware collection and analysis, and datasets collected from network honeypots. The project also includes education and outreach activities that will develop course materials on practical aspects of network security, and provide training for graduate students involved in all aspects of the research.
