By: Ronak Sutaria
Advisor: Constantine Manikopoulos
Department of Electrical and Computer Engineering

Time: 11:30 AM, Wednesday, December 14th, 2005.
Place: Room 115, ECE Center, New Jersey Institute of Technology, Newark NJ. Directions

Abstract

A malicious executable is broadly defined as any program or piece of code designed to cause damage to a system or the information it contains, or to prevent the system from being used in a normal manner.

A detection system is presented here which focuses on the Windows® platform. The detection technique is anomaly based and hence can be used to classify new, previously unseen malicious executables. A review of the current research trends and tools is discussed in brief. Several file infection techniques were studied to understand what particular features in the executable binary are more susceptible to being used for the malicious code propagation. A framework is presented for collecting data for both static (non-execution based) as well as dynamic (execution based) analysis of the malicious executable. Malicious code in the real world has also been found to be obfuscated as well as polymorphic (variant versions) in behavior, which leads to constant updates in signature based detection. Anomaly based classification techniques are presented here for the static analysis data. Experimental results show that accurate detection is possible using these techniques.

Committee Members:
Constantine Manikopoulos, Advisor, Associate Professor, ECE Dept., NJIT
Robert Statica, Program Administrator, IT Dept., NJIT
Jie Hu, Assistant Professor, ECE Dept., NJIT
Cristian Borcea, Assistant Professor, CS Dept., NJIT