The proposed research will address an issue of substantial importance: how to stop the rapid spread of malicious software that infects host computers. The objective of this project is to develop fast methods of analysis that accurately identify exploit code in network traffic. These methods should succeed even if the exploit is concealed by means of code obfuscation and metamorphosis (i.e., varying in form from one instance to the next).
We statically analyze the control and data flow of code to characterize the pattern of system calls executed by the code. Both large and small exploit codes typically accomplish much of their function by such calls. The use of code obfuscation techniques or metamorphic program transformations will not in general change this pattern. We use weighted matching to compute the degree of similarity between two code fragments, based on their system call patterns.
The research project will include * extensive evaluation of the initial method * faster methods of control flow analysis and disassembly * improvements in the accuracy of static data flow analysis Other outcomes will include the development of a software implementation of our detection method, and standard benchmarks for evaluating and comparing such methods.
We propose to integrate this research with education of undergraduate and graduate students about software vulnerabilities, and how to prevent or remove them.
