The recent explosion in malware poses financial, privacy, and safety risks. This project explores a fundamentally new approach to malware detection that promises to be faster, more effective, and cheaper than current tools.
The evolution of malicious software, or malware, has seen increases in both malware's capabilities and sheer volume. Recent malware makes use of a number of sophisticated technologies including polymorphism, public key encryption, and peer-to-peer architectures. These advances are driven by significant resources put into malware development by both criminal enterprises and countries. Traditional malware detection tools rely on slow manual processes and the recent advances in malware have outrun the ability of existing tools to cope.
This project uses a new approach to the malware crisis that centers around constructive use of crowd-sourcing. The key insight is that the collection of machines on the Internet contains information that can be used to automatically classify software as either legitimate or malicious. This information includes not only the behavior of malware on individual machines but also the behavior of the aggregate population. For example, the aggregate statistics of how software propagates across the network can provide insight into whether the software is malicious.
A key component of the proposed work is binary translation-based dynamic signatures. Traditional malware detection tools have used static signatures, but polymorphic techniques have made this approach significantly more difficult. The project employs binary translation to efficiently collect dynamic traces for both code execution and behavioral events such as network communication and then generate signatures for these traces.
The project significantly reduces the threats of malware to society, especially since software developed through the project is freely available. The project is mentoring members of underrepresented minorities, and is infusing its ideas into the curriculum.
