New dangers…

Recognizing and combating malware is essential for cybersecurity and the protection of IT-Infrastructure. Currently used defensive measures against malware such as anti-virus programmes and intrusion detection systems predominantly work signature based and are therefore only capable of successfully dealing with known malware. The use of poly- and metamorph techniques creates new versions of a malware that have different signatures but functionally act the same, which creates a problem for anti-virus software. 

... and new defenses

The goal of the project was to develop formal high-level definitions of potentially malicious actions independently of already encountered malware. With the help of these definitions, an arsenal of proactive defensive measures was developed to recognize and analyse an attack as fast as possible and initiate defensive measures to counter novel forms of known malware as well as new threats. 

Formal descriptions to recognize malware 

Different methods of descriptions were assessed for their suitability for this purpose. As a starting point, behaviour based analysis of encountered malware and typical attack vectors were investigated. Central results are a database of formal definitions of malware actions and a prototype that examines unknown or suspicious code samples to see whether they correspond to a definition.