Behavior-based Malware Detection

Dr. Christodorescu is from the University of Wisconsin, Madison
In recent years, viruses and worms have started to pose threats at
Internet scale in an intelligent, organized manner, enrolling millions
of unsuspecting and unprepared PC owners in spamming,
denial-of-service, and phishing activities. In January 2007, Vint Cerf
stated that "of the 600 million computers currently on the Internet,
between 100 and 150 million were already part of these botnets." A
botnet is a network of malware-infected machines that are under the
control of one attacker. The fundamental cause of the current
situation is the limitations inherent in current detection
technologies. Commercial virus scanners have low resilience to new
attacks because malware writers continuously seek to evade detection
through the use of obfuscation. Any malware-detection technique that
can counter these attacks must be able to (1) identify malicious code
under the cover of obfuscation and (2) provide some guarantee for the
detection of future malware. In my talk, I present a new approach to the detection of malicious
code that addresses these requirements by taking into account the
high-level program behavior without an increase in false
positives. The cornerstone of this approach is a formalism called
malspecs (i.e., specifications of malicious behavior) that
incorporates instruction semantics to gain resilience to common
obfuscations. Experimental evaluation demonstrates that our
behavior-based malware-detection algorithm can detect variants of
malware due to their shared malicious behaviors, while maintaining a
relatively low run-time overhead (a requirement for real-time
protection). Additionally, the malspec formalism enables reasoning
about the resilience of a detector. In this context, I present a
strategy for proving the soundness and completeness of detection
algorithms.
Mihai Christodorescu holds a Bachelor's degree in Computer Science
from University of California at Santa Barbara and a Master's degree
in Computer Sciences from University of Wisconsin, Madison, where he
is currently a doctoral candidate. His research is in computer
security with a current focus on the detection of malicious software.
He is also interested in and has worked on problems in software
engineering, program analysis, and formal methods, as well as their
applications to security.