KIRAS Security Research

2011

MalwareDef

The goal of this project is the development of proactive defence measures to cope with the challenges of a rapidly growing number of malware samples in the wild

An important part of cyber security and the protection of critical infrastructure is the detection and defence of malware. Tools currently used to fight malware (anti-virus software and intrusion detections systems) are mainly signature-based and hence can only detect code that has already been identified as such. By means of polymorphic and metamorphic obfuscation techniques current malware appears in ever new variants, all characterized by different signatures but showing the same functional behaviour. This constitutes a constantly growing problem for anti-virus software. 

The goal of this project is the development of proactive defence measures to cope with the challenges of a rapidly growing number of malware samples in the wild. These measures should be capable of effectively and efficiently detecting new variants of known malware as well as entirely new threats, analyzing them and initiating suitable defence response. To achieve this goal, formal high-level definitions of potentially malicious activities independent of their syntactic appearances seen so far must be developed. At the start of the project an ex-ante analysis of the social and judicial framework will be carried out to position the project within the stakeholders’ realm of interests.

The formal definitions will describe typical activities of malware on a high level of abstraction. These definitions will be attained from behaviour based analysis of available malware and from formalizations of common attack vectors. Such typical activities could be, among others, various kinds of infection strategies, methods to automatically start a program, obfuscation techniques, connections to suspicious computers, and command and control receiver activities. In general, the decision to classify a code sample as malicious is not determined by a single activity but by certain combinations thereof. These formal definitions will be used as the foundation for classifying ongoing activities. The modular approach accounts for the fact that recent large scale and targeted attacks were structured in a modular way.

The outcome of the project will be a database of formal definitions of malware activities and a prototype able to check suspicious code samples against the definitions within this database.

Project leader:
Fachhochschule St. Pölten, Institut für IT Sicherheitsforschung

Project partner:
Bundesministerium für Inneres (BM.I)
Bundesministerium für Landesverteidigung und Sport (BMLVS)
IKARUS Security Software GmbH

Contact:
Fachhochschule St. Pölten, Institut für IT Sicherheitsforschung
Matthias Corvinus-Straße 15,
3100 St. Pölten
Univ.-Doz. DI Dr. Ernst Piller und DI Dr. Paul Tavolato
Telefon +43 2742 313 228 – 636
E-Mail: ernst.piller@fhstp.ac.at und paul.tavolato@fhstp.ac.at
Web: https://ifs.fhstp.ac.at

print