Madison, Berkeley Team Develop Malware Modeling Tool
- By Paul McCloskey
- 06/08/07
A research team from the University of Wisconsin, Madison and the University of California, Berkeley have developed virus scanning software they describe as the "next generation in malware detection."
Instead of scanning for specific virus signatures, their Static Analyzer for Executables (SAFE) looks for suspicious behaviors typical of malware, such as reading an address book and sending e-mails.
Commercial scanners search programs for specific patterns, or signatures, which leaves an opening for virus programmers to disguise the virus. Each disguised variant then must be distributed and added to the virus scanners on a weekly or sometimes daily basis.
"Essentially, this is an arms race," said Somesh Jha, an associate professor of computer science at the University of Wisconsin, Madison, who, with graduate student Mihai Christodorescu, helped develop the program.
"I don't think the approaches currently being used by commercial companies are going to be sustainable," Jha told the Wisconsin Business Journal.
SAFE requires updates only when viruses exhibit new behavior. It is proactive, rather than reactive. The researchers began working on SAFE when they tested variations of four viruses on Norton and McAfee antivirus scanners and found that only the original variation of each virus was caught. SAFE caught all variations.
"[Attackers] are already becoming very sophisticated. They are using on-the-fly evasion techniques," Jha told WBJ. "As they use more sophisticated things to hide their malware, your detection has to become better and better."
Read More:
About the Author
Paul McCloskey is contributing editor of Syllabus.