The Semantic Detection of Viruses

All pieces of self-replicating malware have a signature. However, malware can change form, so the signature of the malware is different even though it has the same destructive behaviour. This means that current techniques will always play catch up with new forms of the same piece of self-replicating malware. By using formal methods to detect the semantics of self-replication, we have the opportunity to detect any self-replicating malware (even if it is unknown or metamorphic) and thus have an opportunity to remove it before any damage can be done. The approach is novel because current techniques detect the signature of malware and then remove it. We have undertaken foundation research to show that we can detect self-replicating behaviour in a sample of obfuscated binary for an ARM processor. Our objective in this project is to expand the applicability and examine scalability.