Evolvable%20Malware

About This Presentation

Title:

Evolvable%20Malware

Description:

Malware, if considered to be alive, must possess the fundamental property of ALife evolution. ... To evolve the malware evolution in its true sense. ... – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 16

Provided by: Sha71

Learn more at: http://www.genetic-programming.org

Category:

more less

Transcript and Presenter's Notes

Title: Evolvable%20Malware

1
Evolvable Malware

Sadia Noreen, Sahafq Murtaza, M. Zubair Shafiq,
Muddassar Farooq
National University of Computer and Emerging
Sciences (FAST-NUCES)
Next Generation Intelligent Networks Research
Center (nexGIN RC)
Islamabad, 44000, Pakistan

2
Citations

Sadia Noreen, Shafaq Murtaza, M. Zubair
Shafiq, Muddassar Farooq.
1. Evolvable Malware. In Proceedings of the
Genetic and Evolutionary Computation
Conference(GECCO), ACM Press, 2009.
2. Using Formal Grammar and Genetic Operators to
Evolve Malware. In Recent Advances in Intrusion
Detection (RAID), Springer LNCS, 2009.

3
Relevance of Computer Malware to ALife

ALife Studies the logic of living systems in
artificial environment
Evolution Property of ALife
Malware, if considered to be alive, must possess
the fundamental property of ALife evolution.

4
Objectives

To provide an abstract representation that maps
all the features of malware Bagle
To evolve the malware evolution in its true
sense.
To test the evolved malware using anti-virus
software.

5
Finally Virus Created!!!
RATHER HUMAN WHOMPING!!!
6
Evolvable Malware Framework
7
Abstract Representation
Feature Description
Date The date checked by Bagle to (de)activate its process.
Application The application used to conceal Bagle
Port Number Port opened by Bagle to send or receive commands
Attachment Name of the attachment used by the Bagle
Websites Bagle contact the websites to inform about the infection
Domain Bagle ignores to email itself to the domains specified
Email Body Contains the email body of Bagle
Email Subject Specifies the subject of the email
Registry Variable Contains the name of the registry variable used by the Bagle
Virus Name Name of the Bagle shown in the task manager
File Extension File extensions to be searched in fixed directories
Process Terminated Process terminated by Bagle
Attachment Extension Specifies the extension of the attachment
P2P Propagation Names used by Bagle to copy itself to peer computers
8
Experimental Setup (2)

GA Parameters
Population Size500
Crossover Rate0.75
Mutation Rate0.005
of Generations500

9
Experimental Results
10
Criteria Satisfied
GECCO 2009 Anonymous Reviewer Comments

The paper is very interesting and well written
overall and definitely worth to
be published.
I found the paper quite interesting. Further
research is most welcomed.

D The result is publishable in its own right as
a new scientific result
independent of the fact that the result was
mechanically created.

11
Criteria Satisfied
Polymorphic Engine Metamorphic Engines
Our Engine
Virus Code
Virus Code
Virus Code
Genetic Operators
Encryption Routine
Virus Code . . . NOP
Decryption Routine
Virus Code

E The result is equal to or better than the most
recent human-created
solution to a long-standing problem for which
there has been a
succession of increasingly better human-created
solutions.

12
Criteria Satisfied
Result is better than the result that was
considered as an achievement so far

Polymorphic and metamorphic engines produce
viruses that belong to the same
class i.e. the evolved viruses are the variants
of the same class e.g. Bagle.a,
Bagle.b etc.
The viruses produced by our engine do not belong
to just one class i.e. the
evolved viruses may belong to the different
classes of malware e.g. Bagle class,
W32.Sality etc.

F The result is equal to or better than a result
that was considered an achievement in its field
at the time it was first discovered.
13
Criteria Satisfied
Reverse Engineering of a class of malware