Malware Analysis and Detection

Our research focuses on determining how malware can be analyzed, detected, and blocked. Malware is a very generic term that encompasses different types of malicious software components. Traditionally, malware was detected by using syntax-based signatures that attempt to detect a specific part of the representation of a malware instance. However, these techniques are not able to detect previously unseen malware components, and, most notably, polymorphic malware. Therefore, our research has focused on how to characterize malware using its behavior or structure, which are independent of the malware's particular representation. 

We developed a number of techniques that use emulation, simulation, and instrumentation to collect events associated with the execution of malware, and then analyze these events to identify malicious behavior.

Disassembly of obfuscated binary code

"Real programmers can write assembly code in any language." -- Larry Wall

People involved: Darren MutzEngin KirdaChristopher KruegelGiovanni VignaFredrik ValeurWilliam Robertson

Dynamic Tracing of Binary Code Execution

Dynamic application execuition tracer

People involved: Christopher KruegelWilliam Robertson

Anubis: Analyzing Unknown Binaries

Anubis is a service for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware.

People involved: Clemens KolbitschDhilung KiratYan Shoshitaishvili