The goal of the Application Characterization project was to develop a methodology for dynamically characterizing applications by observing their interaction with the system.  Traditional virus detectors rely on footprints of viruses in order for a virus to be detected:  they are reactive systems.  In order for a virus to be detected, the virus must already be known and included in a database.  This is the same token by which the RE-Detector system operates.  In order to more efficiently detect viruses, spyware, adware, malware, and other types of clandestine functionality hidden in software, a new approach is desired.   The goal of the Application Characterization project was to develop the new approach.

Approach

In order to detect clandestine functionality, a profile of a “standard” application of a specific type is needed.  For this project, the profile of an application was created by monitoring the frequency of calls made to different functions within the Microsoft Windows operating system.  A profile was then created using the relative frequencies of the calls made to each individual function and each category of function.  Averages were taken accross applications of a certain type, such as text editors, to develop a profile of a typical text editor.  By comparing a text editor with spyware embedded in it against the profile, a euclidean distance algorithm indicated significant deviation, indicative of clandestine functionality.

Applications

The application characterization approach not only proved useful for detecting clandestine functionality, but also has applications in other fields, such as software testing and debugging.  Similar approaches can be used for testing network applications, and the current methods of characterization can be expanded to include additional metrics.

Personnel

Students

Ray Canzanese

Faculty

Spiros Mancoridis

Moshe Kam