Funded by: Department of Defense
This is a three-year effort sponsored by the National Security Agency. We began work on this project in August of 2001.
The goal of this project is to develop techniques that will aid an analyst in the process of detecting and understanding malicious software. The current process of malicious software analysis relies on a great deal of manual effort by highly skilled experts in this area. The cost of analyzing a potentially malicious program can be measured in both man-hours and in the damage caused by not reacting quickly enough to an emerging threat.
Our work on this project can be divided into two areas: identifying malicious software and understanding malicious software. We are developing methods of locating malicious software that has attached itself to a benign host program (as is commonly the case with executable viruses and Trojan horses). These techniques enable an analyst to quickly distinguish regions of an application that need to be analyzed from those that are unimportant to the analysis process. The second year of this project focuses on leveraging domain knowledge of malicious software to improve automated program understanding capabilities. Combined, these approaches will greatly reduce the work required by an expert to locate and analyze malicious software in a laboratory environment.