|
-
CS Department
Location, phone, fax
-
Search CS Website
-
Join Us!
-
CS People
- Key Contacts
- Undergraduate Students
- Graduate Students
-
Faculty
-
Staff
-
Events/Seminars
-
Awards & Honors
-
In The News
-
Research
-
Undergraduate &
Graduate Programs
-
Computing Facilities
-
Alumni & Industry
-
Useful Resources
-
Invest in CS
Computer Security and Cryptography Seminar:
|
| Date & Location |
Event |
|
|
 Mihai Christodorescu (web)
Department of Computer Sciences, University of Wisconsin (web)
Semantics-Aware Malware Detection
This is a practice talk for the 2005 IEEE Symposium on Security and Privacy (Oakland'05). A malware detector is a system that attempts to determine whether a program has malicious intent. In order to evade detection, malware writers (hackers) frequently use obfuscation to morph malware. Malware detectors that use a pattern-matching approach (such as commercial virus scanners) are susceptible to obfuscations used by hackers. The fundamental deficiency in the pattern-matching approach to malware detection is that it is purely syntactic and ignores the semantics of instructions. In this paper, we present a malware-detection algorithm that addresses this deficiency by incorporating instruction semantics to detect malicious program traits. Experimental evaluation demonstrates that our malware-detection algorithm can detect variants of malware with a relatively low run-time overhead. Moreover, our semantics-aware malware detection algorithm is resilient to common obfuscations used by hackers. |
|
|
 Shai Rubin (web)
Department of Computer Sciences, University of Wisconsin (web)
Language-Based Generation and Evaluation of NIDS Signatures
We present a methodology to automatically construct robust signatures whose accuracy is based on formal reasoning so it can be systematically evaluated. Our methodology is based on two formal languages that describe different properties of a given attack. The first language, called a session signature, describes temporal relations between the attack events. The second, called an attack invariant, describes semantic properties that hold in any instance of the attack. For example, an invariant may state that a given FTP attack must include a successful FTP login and can be launched only after the FTP representation mode has been set to ASCII. We iteratively eliminate false positives and negatives from an initial session signature by comparing the signature language to the language of the invariant. We developed GARD, a tool for session-signature construction, and used it to construct session signatures for multi-step attacks. We show that a session signature is more accurate than existing signatures. |
< Back to the Sec & Crypto seminar schedule
Created: Fri Jul 29 11:34:22 2005
Last modified: Fri Jul 29 11:35:25 Central Daylight Time 2005