BACKGROUND:  Polymorphic malware relies on randomization, hiding, decoys, and other modifications to evade identification. In attempting to identify polymorphic malware, a known technique involves emulating a computer environment to fool the malware. However, current malware can easily thwart emulation in a number of ways. Other known identification attempts include preprocessing schemes, detection of NO-OP sleds, Bayesian/SPAM filtering, and automated structural attribute characterization. These techniques can be easily circumvented, can fail to distinguish between safe programs and malware, or can require significant computation time and manual characterization.

INNOVATION:  The novel method is effective at identifying polymorphic forms of malware including viruses, worms, backdoors, and Trojan horses, as well as hybrid combinations. It automatically learns to classify malware, and the classification time is very low due to the nature of the statistical dataflow analysis. Classifications are distributed across a secure peer-to-peer network, globally increasing effectiveness, robustness, and reliability.

POTENTIAL APPLICATIONS 

• Anti-malware software such as anti-virus scanners

ADVANTAGES

• Provides automated machine learning by training with identified files
• Allows for faster, non-conservative algorithms, resulting in rapid processing
• Distributes classifications across the internet via a secure network to globally increase the effectiveness of the identification/discriminators
• Detects new polymorphic attacks, even before the security community has identified that such forms of attack exist
• Enables robustness while providing easy scalability for growth

DEVELOPMENT-TO-DATE:  The novel method has been experimentally tested and verified against synthesized polymorphic malware as well as polymorphic malware found in the wild.

Reference: UCLA Case No. 2006-132

US Patent Application: 11/537,443