Abstract: In this talk, we will cover three malware detection techniques that employ concepts from information theory and biology to detect zero-day (previously unknown) attacks in real-time. The first technique deals with embedded malware, a recently dis-covered security flaw in which malcode is hidden inside benign files. To detect embedded malware, we first show that a byte sequence of benign files typically exhibits 1st order dependence, and therefore its conditional histogram, generally referred to as a 1-gram, is perturbed at embedded locations. We model these conditional 1-grams using Markov chains and use the en-tropy rate of these Markov chains to quantify anomalous perturbation points in infected files. We show that the entropy rate distribution of a benign sample set approaches Gaussianity. Consequently, simple thresholding on entropy rates can be used to detect zero-day embedded malcode with high accuracy.

The second malware detection technique that will be covered in this talk detects zero-day malicious executables using distin-guishing static file attributes. We model file attributes as discrete random variables and use a Kullback-Leibler based informa-tion divergence measure to quantify the differences between feature distributions of benign and malicious executables. Maxi-mum-likelihood of benign attributes’ distributions can then be used to accurately classify unknown files as benign or mali-cious in a low complexity manner.

The last malware detector that we will cover is network-based and biologically-inspired. Network-based anomaly detectors generally do not have the flexibility to incorporate new traffic features or to scale their complexity in accordance with their point-of-deployment. We will present a scalable, feature independent, and biologically-inspired framework called Anomaly Detection Artificial Immune System (ADAIS). ADAIS uses immunology algorithms to seamlessly incorporate multiple traf-fic features to detect zero-day attacks at different points in the network. Lastly, we will discuss some complexity-scalable traf-fic features and how they can be used in the ADAIS framework.

Short Bio: Dr. Syed Ali Khayam received his B.E. degree in Computer Systems Engineering from National University of Sciences and Technology (NUST), Pakistan, in 1999 and his M.S. and Ph.D. degrees in Electrical Engineering from Michigan State University in 2003 and 2006, respectively. In February 2007, he joined the NUST Institute of Information Technology (NIIT), National University of Sciences & Technology (NUST), Pakistan as an assistant professor. At NIIT, he directs the Wireless Networks (WisNet) Research Lab and co-directs the Information Security Research Group (ISRG). During his graduate stud-ies, he received the Pakistan Higher Education Commission Split Ph.D. Scholarship and the MSU Research Enhancement Award. His research interests include analysis and modeling of statistical phenomena in computer networks, network secu-rity, cross-layer design for wireless networks, and real-time multimedia communications.