Integration of static and dynamic analysis tools into a malware analysis pipeline

Dr. Buttyán Levente

Malware is still a huge problem both for operators of information systems and for security companies.  Every day, thousands of new samples are received by antivirus companies in various malware feeds that they need to process in order to manage their malware databases and produce updates for their antivirus products. This work is made scalable by automating much of the processing of the incoming feeds. 

This project is concerned with designing and developing new static and dynamic analysis tools to be integrated into an existing malware feed processing pipeline. The envisioned tools would be used to extract useful meta-information from incoming new samples, to determine whether in-depth dynamic analysis is needed to be performed or not for a given sample, and if needed, to perform those dynamic analysis jobs and obtain detailed behavioral information about samples. The project also addresses the problem of processing packed samples by trying to automate the unpacking process as much as possible. The tools need to be integrated into an existing feed processing pipeline, extending the already present functionality, and producing results in such a way that they can be stored and used by the existing system of a partner company.

Tasks to be performed by the student will include the review of the state-of-the-art on static and dynamic program analysis, the overview of the necessary technological background, including packer detection and sandbox environments, the design of new analysis tools, the planning of the integration of these tools into the existing malware feed processing infrastructure, the implementation of the tools and their integration into the existing system, and testing, validation, and demonstration of the functioning of the tools.