Tuesday
April 26, 2005
2:00 - 3:00 PM
2310 CS
|
Mihai Christodorescu ( web)
Department of Computer Sciences, University of Wisconsin ( web)
Semantics-Aware Malware Detection
This is a practice talk for the 2005 IEEE Symposium
on Security and Privacy (Oakland'05).
A malware detector is a system that attempts to
determine whether a program has malicious intent. In
order to evade detection, malware writers (hackers)
frequently use obfuscation to morph malware. Malware
detectors that use a pattern-matching approach (such as
commercial virus scanners) are susceptible to
obfuscations used by hackers. The fundamental deficiency
in the pattern-matching approach to malware detection is
that it is purely syntactic and ignores the semantics of
instructions. In this paper, we present a
malware-detection algorithm that addresses this
deficiency by incorporating instruction semantics to
detect malicious program traits. Experimental evaluation
demonstrates that our malware-detection algorithm can
detect variants of malware with a relatively low
run-time overhead. Moreover, our semantics-aware malware
detection algorithm is resilient to common obfuscations
used by hackers.
|
Wednesday
April 27, 2005
2:00 - 3:00 PM
2310 CS
|
Department of Computer Sciences, University of Wisconsin ( web)
Language-Based Generation and Evaluation of NIDS Signatures
We present a methodology to automatically construct
robust signatures whose accuracy is based on formal
reasoning so it can be systematically evaluated.
Our methodology is based on two formal languages that
describe different properties of a given attack. The
first language, called a session signature, describes
temporal relations between the attack events. The
second, called an attack invariant, describes semantic
properties that hold in any instance of the attack. For
example, an invariant may state that a given FTP attack
must include a successful FTP login and can be launched
only after the FTP representation mode has been set to
ASCII. We iteratively eliminate false positives and
negatives from an initial session signature by comparing
the signature language to the language of the invariant.
We developed GARD, a tool for session-signature
construction, and used it to construct session
signatures for multi-step attacks. We show that a
session signature is more accurate than existing
signatures.
|
Created and maintained by Mihai Christodorescu (
http://www.cs.wisc.edu/~mihai)
Created: Fri Jul 29 11:34:22 2005
Last modified: Fri Jul 29 11:35:25 Central Daylight Time 2005