Malware Analysis and Detection
Our research focuses on determining how malware can be analyzed, detected, and blocked. Malware is a very generic term that encompasses different types of malicious software components. Traditionally, malware was detected by using syntax-based signatures that attempt to detect a specific part of the representation of a malware instance. However, these techniques are not able to detect previously unseen malware components, and, most notably, polymorphic malware. Therefore, our research has focused on how to characterize malware using its behavior or structure, which are independent of the malware's particular representation.
We developed a number of techniques that use emulation, simulation, and instrumentation to collect events associated with the execution of malware, and then analyze these events to identify malicious behavior.
"Real programmers can write assembly code in any language." -- Larry Wall
Behavior-based Spyware Detection
Dynamic application execuition tracer
An insider view of a real-world botnet
Graph-Based Detection of Polymorphic Worms
Anubis is a service for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware.