MALCODE
MALCODE: Malicious Code Detection using Emulation
| Coordinatore | FOUNDATION FOR RESEARCH AND TECHNOLOGY HELLAS
Organization address
address: N PLASTIRA STR 100 contact info |
| Nazionalità Coordinatore | Greece [EL] |
| Totale costo | 230˙952 € |
| EC contributo | 230˙952 € |
| Programma | FP7-PEOPLE
Specific programme "People" implementing the Seventh Framework Programme of the European Community for research, technological development and demonstration activities (2007 to 2013) |
| Code Call | FP7-PEOPLE-2009-IOF |
| Funding Scheme | MC-IOF |
| Anno di inizio | 2010 |
| Periodo (anno-mese-giorno) | 2010-07-01 - 2013-06-30 |
Partecipanti
| # | ||||
|---|---|---|---|---|
| 1 |
FOUNDATION FOR RESEARCH AND TECHNOLOGY HELLAS
Organization address
address: N PLASTIRA STR 100 contact info |
EL (HERAKLION) | coordinator | 230˙952.10 |
Mappa
Word cloud
Esplora la "nuvola delle parole (Word Cloud) per avere un'idea di massima del progetto.
Obiettivo del progetto (Objective)
'After many years of security research and engineering, code injection attacks remain one of the most common methods for malware propagation, exposing significant limitations in current state-of-the-art attack detection systems. For instance, the recent massive outbreak of the Conficker worm in the beginning of 2009 resulted to more than 10 million infected machines worldwide. Malicious web sites also launch code injection attacks against unsuspecting visitors by exploiting vulnerabilities in popular web browsers, document viewers, media players, and other client applications. The increasing professionalism of cyber criminals and the constant rise in the number of malware variants and malicious websites make the need for effective malicious code detection more critical than ever. Once sophisticated tricks of only the most skilled virus authors, advanced evasion techniques like code obfuscation and polymorphism are now the norm in most malware variants and code injection attacks. As the number of new vulnerabilities and malware variants grows at a frenetic pace, detection approaches based on threat signatures, which are employed by most virus scanners and intrusion detection systems, cannot cope with the vast number of new malicious code variants. In the proposed project, we plan to design, develop, and evaluate novel malicious code detection algorithms based on code emulation. Working at the lowest level---the actual instructions that get executed---dynamic analysis using emulation unveils the actual malicious code without being affected by evasion techniques like encryption, polymorphism, or code obfuscation. Focusing on the behavior and not the structure of the code, we aim to identify common functionality and actions that are inherent to different types of malicious code, and use them for the development of new malicious code detection heuristics.'
Introduzione (Teaser)
There are more computer threats than viruses alone. An EU project helped to protect against one kind, neutralising disguised attacks and compromised documents other systems could miss.
Descrizione progetto (Article)
Computer viruses and other malicious software are well known. Attacks that exploit memory corruption vulnerabilities are less famous, but arguably even more dangerous as they can give unrestricted system access.
Looking to offer protection was the EU-funded 'Malicious code detection using emulation' (MALCODE) project. Organised under the Marie Curie programme for researcher development, the single-member study ran for three years to the end of June 2013. The aim was to design, develop and evaluate new algorithms for detecting malicious code, based on code emulation.
Malware can hide or disguise itself; hence, an advantage of the project's technique is that it detects malicious code by its actions at the machine-instruction level. By examining those actions, the project aimed to establish new principles for detection.
The project successfully achieved its aims. Outcomes included two new methods for detection of network-level attacks and malicious PDF documents. The first method involved a shellcode detection technique, and a means of identifying machine-level operations performed by different types of shellcode. In effect, the technique enables detection that other systems could miss. The second detection technique, called MDScan, is a document scanner, similarly able to detect hidden threats embedded in PDF files.
The second half of the study resulted in two techniques for attack prevention based on Return Oriented Programming. The method detects hidden threats in data sources such as network traffic or process memory, and provides protection using in-place code randomisation. As a result, defences can be applied to third-party software, but without slowing processor time.
Work also contributed to other fields, including network-level traffic monitoring and analysis, and the use of graphics processors for accelerating processing of network traffic. Additionally, the research advanced online privacy issues and investigated the Android operating system environment.
MALCODE achieved significant advances in detection of and protection against malicious code threats. As a result, computer and data systems will be more secure.