Silvio Cesare is a PhD student at Deakin University. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at conferences including Blackhat, Cansecwest, Ruxcon, and academic outlets. He is an author of the book Software Similarity and Classification, published by Springer and has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of the vulnerability management company, Qualys.
Effective flowgraph-based malware variant detection
Malware is a major problem. Traditional Antivirus has used static string signatures to detect malicious samples. These types of signatures aren't very good at detecting unknown variants of known malware. Control flow can be used as a signature based on program structure which performs better. We designed a system using a set of control flow graphs as a signature. We used techniques from decompilation to transform those control flow graphs into strings and we tried a number of novel techniques to build similarity and distance metrics to compare those signatures. We ended up using an algorithm combining string metrics and combinatorial optimization. The system we implemented is around 100,000 lines of C++ code and we've been working on it for several years trying and evaluating a variety of algorithms and approaches. In the evaluation of our current research, it is more effective than our work from last year. It performs in real-time and takes a median time of 0.06s to scan benign binaries and 0.84s to scan malicious binaries. We think it could be employed in future Antivirus products.
Copyright © 2012 The University of Queensland, authorised by AusCERT Program Committee, maintained by: email@example.com