PROTEUS: Protection Environment for Untrusted Software

Period of Performance: 04/27/2006 - 04/27/2007


Phase 1 SBIR

Recipient Firm

Kestrel Technology LLC
3260 Hillview Avenue Array
Palo Alto, CA 94304
Principal Investigator


Current commercial techniques seek to extend syntactic detection mechanisms, since these are relatively fast and can be generic over a rich pattern language. However, malware writers use increasingly more sophisticated obfuscations. Generic pattern-matching techniques will no longer provide adequate protection. Polymorphic viruses (whose body is encrypted) are common in the wild, and metamorphic viruses (that have a different form with each reproduction) are becoming more common as virus writers seek to evade the enhanced detection capabilities of the best available anti-viral software. The code transformations that are used by malware writers are also becoming increasingly semantic, taking the meaning of the code into account rather than just the syntactic form. Consequently, it will be increasingly necessary to have customized algorithms for detecting each new malware artifact, a practice known as "algorithmic detection". An algorithmic detector is specialized to the semantic characterization of a malware artifact and is optimized for its detection. We propose to develop technology for modeling malware behavior (characteristics of a malware entity caught in the wild), and for automatically generating a customized detector from the malware model. The customized detector will include the static analysis capabilities of current commercial tools, but will be extended with semantic analysis.