Visible to the public TWC: Small: Understanding Anti-Analysis Defenses in Malicious CodeConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2015 - Aug 31, 2018


University of Arizona

Award Number

The problem of cyber-security encompasses computer systems of all sizes and affects almost all aspects of our day-to-day lives. This makes it fundamentally important to detect accurately and respond quickly to cyber-threats as they develop. This project aims to develop techniques and tools that can accelerate the process of understanding and responding to new cyber-threats as they develop. The authors of malicious software (malware) usually try to make the malware stealthy in order to avoid detection. In many cases, this involves a variety of techniques aimed at hindering analysis efforts by security analysts; we refer to such techniques as anti-analysis defenses. When confronted by such defenses, security analysts have to identify and disable them in order to observe and understand its real behaviors and thereby develop countermeasures. Current approaches for doing this are slow and cumbersome. This project aims to develop highly general, efficient, and robust automated techniques for speeding up the process of identifying and understanding anti-analysis defenses in malware, with the goal of providing security analysts with tools that can help them respond quickly to new cyber-threats as they develop.

Malicious software (malware) usually employs a variety of anti-analysis and anti-tampering defenses to hinder analysis and reverse engineering. Currently, neutralizing such defenses requires a lot of manual intervention and is therefore tedious and time-consuming. This project develops semantics-based techniques to automate most or all of this effort and so accelerate the process of identifying and neutralizing such defenses. The project focusses on analyzing programs that employ a variety of anti-analysis and anti-tampering defenses. In particular, the project will focus on the following research questions:

  • Detection. How do characterizations of environmental observations translate to detection algorithms for anti-analysis defenses? How can the detection algorithms be made general?
  • Precision. What factors affect the precision of such detection algorithms? How can the precision be improved?
  • Performance. Sophisticated analysis of low-level code can be expensive. At the same time, the high volumes of new malware that are encountered make it important for analyses to be efficient. How can such detection algorithms be made efficient enough to be practical?
  • Stealthy Defenses. How can environment checks be made statically and dynamically stealthy? What are the implications for anti-analysis detection algorithms?

In order for such anti-anti-analysis techniques to have longevity, it is important that they be general, i.e., make as few assumptions as possible about the nature or form of the defenses that may have been applied. To this end, the project will articulate explicitly the assumptions underlying the techniques it develops. This can be expected to suggest new directions for research by indicating where assumptions may be weakened or removed. The potential contributions of this research are both technical and societal. The ability to more easily neutralize anti-analysis defenses deployed by malware will allow security researchers to respond to new and emerging malware threats quickly. This will have the effect of limiting the scope of the damage caused by such malware, and improve the security and reliability of our cyber-infrastructure. Additionally, the project will involve graduate and undergraduate students in all aspects of the research and thereby contribute to the development of a highly skilled workforce. Finally, software developed as part of the project will be made available to the broader research community, thereby assisting and supporting other research projects in this area.