Automatic In-depth Malware Analysis

Heng Yin
UC Berkeley/College of William & Mary


Malicious software (i.e., malware) has become a severe threat to interconnected computer systems for decades and caused billions of dollars damages each year. Large volume of new malware samples are discovered daily. Even worse, malware is rapidly evolving to be more sophisticated and evasive to strike against current malware analysis and defense systems. My research tackles the problem of automatic in-depth malware analysis, which aims to automatically analyze a piece of malware, identify its malicious behavior, and provide valuable insights about its attack mechanism. My first step was to build a new dynamic binary analysis platform, TEMU, to address the common challenges for malware analysis, including code obfuscation, pervasive and transient code presence, and fine-grained malicious behaviors. TEMU not only enables my research on malware analysis, but also fosters research on other computer security problems. Then on the basis of TEMU, I proposed a series of novel techniques, such as Panorama, Renovo, and HookFinder, for detecting and analyzing various aspects of malware. These techniques capture intrinsic characteristics of malware, and thus are well suited for dealing with new malware samples and attack mechanisms.