Fighting malicious software

Abstract

Malicious software, or malware, has evolved into one of the most severe security threats on today's Internet. Despite many years of research and development from both academia and industry, the problem is still poorly contained. In this paper, we make the case for a malware defense approach that uses expressive behavior specifications that are general enough to characterize and detect a wide variety of malicious programs. Moreover, our approach can quickly react to new malware families. To this end, the system automatically generates specifications based on the observation of the execution of malware programs. That is, the system executes and monitors new malware programs in a controlled analysis environment. Based on these observations, the system identifies behavior that reflects malicious activity. This program behavior is then automatically translated into specifications that can be used for malware detection. The work discussed in this paper would not have been possible without the tireless efforts of many graduate students and the collaboration with my colleges. I would like to especially thank Clemens Kolbitsch, Paolo Milani Comparetti, Andreas Moser and Engin Kirda, who have made major contributions to those techniques that are described in more detail in this paper. © Springer-Verlag 2012.