COLLOQUIUM Department of Computer Science and Engineering and Advanced Solutions Group University of South Carolina Detecting Malicious Software by the Presence of the Gene of Self-Replication Victor A. Skormin Department of Electrical Engineering Binghamton University Date: September 28, 2004 (Tuesday) Time: 1-2:30 Place: Swearingen 1A03 (Faculty Lounge) Abstract Most information attacks are perpetrated by deploying computer viruses and worms. The spread of malicious codes is caused by their self-replication through the Internet resulting in computer epidemics. Since most legitimate codes do not self-replicate, the task of detection of malicious codes could be reduced to the detection of the “various mutations of the gene of self-replication” in the code in question. Since the number of ways to achieve self-replication is quite limited and developers of new malicious software are destined to utilize the same self-replication techniques again and again, this approach has the potential for the detection of new, previously unknown viruses and worms. A code analyzer performing syntactic analysis (parsing) of source codes has been developed and successfully tested on open source type of malicious and legitimate software written in VB script. However, this approach is ineffective when applied to executable and encrypted executable codes. Since self-replication involves kernel mode computer operation, monitoring of system calls presents the most realistic opportunity for the detection of self-replication activities during the code execution. A system call monitor capable of simultaneous independent monitoring of up to 100 processes was developed. Self-replication “signatures” were formulated in terms of system calls and their attributes. A run-time program analyzer detecting self-replication signatures dispersed within sequences of system calls is being developed. Its application may or may not prevent the delivery of destructive payload to a particular computer but would prevent computer epidemics by terminating suspicious processes. This research is funded by the AFOSR. Victor A. Skormin is a Professor of Electrical Engineering at the Watson School of Engineering, Binghamton University (SUNY). He holds a MS (1968) from Kazakh National Technical University, Kazakhstan, and Ph.D. (1975) degrees from the Moscow Institute of Steel and Alloys, Russia. His area of research includes modern control theory and applications (motion control, pointing-acquisition-tracking systems in laser communication, novel robotics-based gimbals systems, high-performance hybrid laser positioning systems), technical diagnostics (system diagnostics for power generators and avionics), mathematical modeling and system optimization, information security (biological approach to system information security, detection of the “gene of self-replication” in malicious codes, immunocomputing), and biometrics (effects of intoxicants and fatigue on speech). His current research is funded by NSF, NASA, and Air Force. Dr. Skormin is a recipient of the IEEE Region I Award “For Leadership in Establishing University-Industry Links in Research and Education”, the University Award for Graduate Teaching from Binghamton University, the SUNY Chancellor’s Award for Excellence in Teaching, the SUNY Chancellor’s Award for Excellence in Scholarship and Creative Activities, and the 2004 Book of the Year Award for his book on IMMUNOCOMPUTING from the International Institute for Advanced Studies in Systems Research and Cybernetics (IIAS). He is a Senior Member of the IEEE and served as the Editor for Space Systems of the IEEE Transactions on Aerospace and Electronic Systems. From 1999-2000 Dr. Skormin was the appointed National Research Council’s Senior Researcher with the Air Force. In 1999 Dr. Skormin was awarded the title of Honorary Professor of the Kazakh National Technical University, Almaty, Kazakhstan. In 2000 he was elected an International Member of the Russian Academy of Navigation and Control. He is a Member of the Cyber Security Task Force of SUNY-Central. He authored three books and many journal papers.