Viruses, worms, and other self-propagating malware remain significant ongoing security threats to almost all sectors of the nation's cyber-infrastructure, including government, business, and home consumers. The escalating rate of new malware appearances increasingly threatens to outpace the defense community's ability to maintain effective detection systems. This is in part because many malware detection algorithms identify malicious software based on syntactic features. Polymorphic malware continually evolves new syntaxes at it propagates, introducing hundreds or thousands of new syntaxes per day that implement the same malicious behavior. Discovering practical, scalable techniques for reliably detecting new polymorphic malware variants is therefore one of the most significant challenges currently facing the computer security industry. This project develops hybrid static-dynamic technologies that detect malware based on semantic rather than purely syntactic code features. Thus, malware is identified based on the meaning of its malicious programming rather than the syntax with which it implements it. Malicious payloads are identified by applying traditionally static code analyses to decrypted memory pages intercepted dynamically at runtime. A major goal of the project is to develop technologies that are scalable and practical for standard computer hardware and operating systems. This will allow wide-scale deployment of results, and help to protect the nation from distributed attacks that compromise large numbers of low-priority targets to attack higher-priority targets. Results from the research will lead to powerful new strategies, concepts, and practical tools that give defenders a significant new advantage in the virus-antivirus arms race, and improving the national cyber-infrastructure's resilience against cyber-attacks.
CAREER: Language-based Security for Polymorphic Malware Protection