MalwareDef– Recognition through description

Defining formal descriptions of potentially malicious actions to allow developing proactive defensive measures

New dangers…

Recognizing and combating malware is essential for cybersecurity and the protection of IT-Infrastructure. Currently used defensive measures against malware such as anti-virus programmes and intrusion detection systems predominantly work signature based and are therefore only capable of successfully dealing with known malware. The use of poly- and metamorph techniques creates new versions of a malware that have different signatures but functionally act the same, which creates a problem for anti-virus software. 

... and new defenses

The goal of the project was to develop formal high-level definitions of potentially malicious actions independently of already encountered malware. With the help of these definitions, an arsenal of proactive defensive measures was developed to recognize and analyse an attack as fast as possible and initiate defensive measures to counter novel forms of known malware as well as new threats. 

Formal descriptions to recognize malware 

Different methods of descriptions were assessed for their suitability for this purpose. As a starting point, behaviour based analysis of encountered malware and typical attack vectors were investigated. Central results are a database of formal definitions of malware actions and a prototype that examines unknown or suspicious code samples to see whether they correspond to a definition. 



Tavolato, P. (2015, November 5). MalwareDef - Malware (Schadsoftware) Erkennung. 5. KIRAS Fachtagung, Wien.
Dornhackl, H., Kadletz, K., Luh, R., & Tavolato, P. (2014). Malicious Behavior Patterns. CyberPatterns 2014: 8th International Symposium on service-Oriented System Engineering.
Luh, R., & Tavolato, P. (2012). Behavior-Based Malware Recognition. 6. Forschungsforum Der Österreichischen Fachhochschulen - Tagungsband 1 Informationstechnologie Als Produktionsfaktor, 79–84.
External Staff
Konstantin Kadletz
Hermann Dornhackl
  • Ikarus Security Software GmbH
  • BMI
10/01/2012 – 09/30/2014
Involved Institutes, Groups and Centers
Institute of IT Security Research
Institute of Media Economics