Malware Detection Using Dynamic Analysis

In this research, we explore the field of dynamic analysis which has shown promis- ing results in the field of malware detection. Here, we extract dynamic software birth- marks during malware execution and apply machine learning based detection tech- niques to the resulting feature set. Specifically, we consider Hidden Markov Models and Profile Hidden Markov Models. To determine the effectiveness of this dynamic analysis approach, we compare our detection results to the results obtained by using static analysis. We show that in some cases, significantly stronger results can be obtained using our dynamic approach

Recoverable prevalence in growing scale-free networks and the effective immunization

We study the persistent recoverable prevalence and the extinction of computer viruses via e-mails on a growing scale-free network with new users, which structure is estimated form real data. The typical phenomenon is simulated in a realistic model with the probabilistic execution and detection of viruses. Moreover, the conditions of extinction by random and targeted immunizations for hubs are derived through bifurcation analysis for simpler models by using a mean-field approximation without the connectivity correlations. We can qualitatively understand the mechanisms of the spread in linearly growing scale-free networks.Comment: 9 pages, 9 figures, 1 table. Update version after helpful referee comment

Does the Red Queen reign in the kingdom of digital organisms?

In competition experiments between two RNA viruses of equal or almost equal fitness, often both strains gain in fitness before one eventually excludes the other. This observation has been linked to the Red Queen effect, which describes a situation in which organisms have to constantly adapt just to keep their status quo. I carried out experiments with digital organisms (self-replicating computer programs) in order to clarify how the competing strains' location in fitness space influences the Red-Queen effect. I found that gains in fitness during competition were prevalent for organisms that were taken from the base of a fitness peak, but absent or rare for organisms that were taken from the top of a peak or from a considerable distance away from the nearest peak. In the latter two cases, either neutral drift and loss of the fittest mutants or the waiting time to the first beneficial mutation were more important factors. Moreover, I found that the Red-Queen dynamic in general led to faster exclusion than the other two mechanisms.Comment: 10 pages, 5 eps figure

Metamorphic Code Generation from LLVM IR Bytecode

Metamorphic software changes its internal structure across generations with its functionality remaining unchanged. Metamorphism has been employed by malware writers as a means of evading signature detection and other advanced detection strate- gies. However, code morphing also has potential security benefits, since it increases the “genetic diversity” of software. In this research, we have created a metamorphic code generator within the LLVM compiler framework. LLVM is a three-phase compiler that supports multiple source languages and target architectures. It uses a common intermediate representation (IR) bytecode in its optimizer. Consequently, any supported high-level programming language can be transformed to this IR bytecode as part of the LLVM compila- tion process. Our metamorphic generator functions at the IR bytecode level, which provides many advantages over previously developed metamorphic generators. The morphing techniques that we employ include dead code insertion—where the dead code is actually executed within the morphed code—and subroutine permutation. We have tested the effectiveness of our code morphing using hidden Markov model analysis

Distributed interaction between computer virus and patch: A modeling study

The decentralized patch distribution mechanism holds significant promise as an alternative to its centralized counterpart. For the purpose of accurately evaluating the performance of the decentralized patch distribution mechanism and based on the exact SIPS model that accurately captures the average dynamics of the interaction between viruses and patches, a new virus-patch interacting model, which is known as the generic SIPS model, is proposed. This model subsumes the linear SIPS model. The dynamics of the generic SIPS model is studied comprehensively. In particular, a set of criteria for the final extinction or/and long-term survival of viruses or/and patches are presented. Some conditions for the linear SIPS model to accurately capture the average dynamics of the virus-patch interaction are empirically found. As a consequence, the linear SIPS model can be adopted as a standard model for assessing the performance of the distributed patch distribution mechanism, provided the proper conditions are satisfied

Mathematical modeling of tumor therapy with oncolytic viruses: Effects of parametric heterogeneity on cell dynamics

One of the mechanisms that ensure cancer robustness is tumor heterogeneity, and its effects on tumor cells dynamics have to be taken into account when studying cancer progression. There is no unifying theoretical framework in mathematical modeling of carcinogenesis that would account for parametric heterogeneity. Here we formulate a modeling approach that naturally takes stock of inherent cancer cell heterogeneity and illustrate it with a model of interaction between a tumor and an oncolytic virus. We show that several phenomena that are absent in homogeneous models, such as cancer recurrence, tumor dormancy, an others, appear in heterogeneous setting. We also demonstrate that, within the applied modeling framework, to overcome the adverse effect of tumor cell heterogeneity on cancer progression, a heterogeneous population of an oncolytic virus must be used. Heterogeneity in parameters of the model, such as tumor cell susceptibility to virus infection and virus replication rate, can lead to complex, time-dependent behaviors of the tumor. Thus, irregular, quasi-chaotic behavior of the tumor-virus system can be caused not only by random perturbations but also by the heterogeneity of the tumor and the virus. The modeling approach described here reveals the importance of tumor cell and virus heterogeneity for the outcome of cancer therapy. It should be straightforward to apply these techniques to mathematical modeling of other types of anticancer therapy.Comment: 45 pages, 6 figures; submitted to Biology Direc