BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Extracting the Semantic Signature of Malware\, Metamorphic Viruses and Worms - RK Shyamasundar\; Tata Institute of Fundamental Research\, Mu mbai DTSTART:20101008T130000Z DTEND:20101008T140000Z UID:TALK27094@talks.cam.ac.uk CONTACT:Alan Mycroft DESCRIPTION:[Shyam is visiting the CL until 14 October 2010.]\n\nMalware i s increasingly becoming a serious threat and a nuisance in the information and network age. Human experts extract (involves complex analysis of encr ypted and/or packed binaries) a signature (usually a text pattern) of the malware and deploy it\, to protect against a malware.\n\nHowever\, this ap proach does not work for polymorphic and metamorphic malware\, which have the ability to change shape from attack to attack\; also\, metamorphic vir us detection (even assuming fixed length) is NP-complete. To\ncounter thes e advanced forms of malware we need semantic signatures which capture the essential behaviour of the malware (which remains unchanged across variant s).\nIn this talk\, we present an algorithmic approach for extracting the semantic signature of a malware -- as a regular expression over API calls -- and demonstrate via experiments its efficacy in detecting and predictin g malware variants. Our approach involves two steps. In the first step\, w e collect and abstract the behaviour (as a sequence of security relevant A PI/system calls)\nof the malware in different runs. In the second step\, w e inductively learn (under the supervision of a human expert) a regular ex pression that tightly fits these behaviours (generalizing where necessary) . This regular expression then acts as the semantic signature of the malwa re. We performed experiments with the metamorphic virus Etap/Simile\, and the email worms Beagle\, Netsky and MyDoom.\n\nExperimental results give u s a good confidence\nthat our approach can be effectively used for malware detection. LOCATION:FW11\, Computer Laboratory END:VEVENT END:VCALENDAR