Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malicious Behaviour Analysis

From: "Grace Reyes" <gracereyes () pacific net ph>
Date: Tue, 8 Jan 1980 14:44:28 +0800
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Dear Mr.  Schultz,

Thank you for responding.


can you describe what is in particular that you are interested in?


Actually, am really great that you have the research on malicious binaries
which correlates with my research too because my theses deals with the
analysis of malicious behaviour (trojan horse) that would
analyse and test the program (i.e. executable application say "file.exe")
against security
flaws.   Given as follows:

Phase 1:  Analysis for programs
                   -  this gonna be a tool that will analyze a programs
running
                      in say UNIX or WinNT environment
                   -  the tool will test the program (file.exe) and
enumerate what it would do
                            (i.e. update , delete, copy, send mail, update
registry... etc. etc.)


Phase 2:  Analyze the Malicious Behaviour

                2.1 Analyze Trojan Horse (How to detect?)
                        - this portion will have to analyze the program
whether it responded in
                            normal or malicious behavior (say... the
file.exe is 80% trojan horse).

                       -   Also it would analyze if the program has violated
the documented specs as far
                            as the user knowledge on the internal process
versus the author (vendor) specification
                             is concern.



                2.2 Testing possible Virus (checking/probability)
                        - this will test and analyze the program for
possible virus threat  for instance (the file.exe is
                            75% suspected virus).



                (INCORPORATE INTRUSION DETECTION  IN ANALYSIS TOOL - for
futher work)
                2.3  intrusion
                        - integrate this feature soon but this is optional
at the moment


I would be great if  you could send your  technical links, references,
algorithms on the above mention. Also, if you dont mind, actually dont know
where to start on how to achieve the solution (algorithm/implementation) on
PHASE 2.1 TROJAN HORSE , i had a bit idea but thats purely guessing, if you
could give me some help on this i would surely be thankful to you.  I guess
thousands of complement would not be enough.


Thank you and hope to hear from you soon.


Sincerely,


Grace Reyes



Note:

I'd like to thank you guys out there for possible comment, help,
ideas,..criticism,  .etc..etc... very much welcome!






hey -



i do research in malicious binaries, et al. we are more in the machine
learning aspect. i found that



http://www.av.ibm.com



is a great source for commercial stuff.  it'll help you get started to
read their stuff.  it's somewhat obfuscated b/c it's commercial but you
can start to get a grip on it there.



there are a couple of things that i can link you to but that's as good
of a place to start as any.  i am going to do some work today to
consolidate some links and i'll send them your way.  can you
describe what is in particular that you are interested in?



thanks
M
Previous By Date Next
Previous By Thread Next

Current thread: