Computer Science Colloquium Series - Wednesday, February 11th, 2009 - 12:30-1:15 - CCT 208

Computer Science Colloquium Series

Wednesday, February 11th, 2009

12:30-1:15

CCT 208

“A Fast Approximate Detector for  W32.Simile Malware”

The lecture will be given by Edna Milgo, a graduate student from TSYS department of Computer Science conducting research on malwares.

Refreshments will be served!!!

W32.Simile is malware that contains a sophisticated transformation (or metamorphic) engine that implements source-to-source code substitution, dead code insertion and code permutation transformations, as well as encryption. The metamorphic engine enables W32.Simile to change its appearance each time it replicates. Metamorphism challenges the time and space resources of traditional signature-based anti-virus scanners, since these scanners have to create, store, and distribute a signature for each of a possibly vast number of malware variants.

Our experiments revealed a range of thresholds that enabled us to discriminate, using just the instruction frequency distributions of programs in our training and testing sets, W32.Simile variants from non-variants. This method is efficient since only disassembly is needed to make a preliminary judgment on whether more elaborate program analyses are needed to ascertain that a suspect program is indeed a variant of W32.Simile.