Description
Aims:
The module aims toÌýprovide students with specialist understanding of the issues and techniques in malware detection and classification; and broad understanding of the human, social, economic, and historical context in which malware occurs.
Intended learning outcomes:
On successful completion of the module, a student will be able to:
- Have specialist understanding of the nature of malware, its capabilities, and how it is combatted through detection and classification.
- Understand what the underlying scientific and logical limitations on society’s ability to combat malware are.
- Have an appreciation and broad understanding of the social, economic and historical context in which malware occurs.
Indicative content:
The following are indicative of the topics the module will typically cover:
Introduction:
- The taxonomy of malware and its capabilities: viruses, Trojan horses, rootkits, backdoors, worms, targeted malware.
- History of malware.
The social and economic context for malware:
- Crime, anti-malware companies, legal issues, the growing proliferation of malware.
Basic Analysis:
- Signature generation and detection.
- Clone detection methods.
Static analysis theory:
- Program semantics.
Static Analysis:
- System calls: dependency analysis issues in assembly languages. semantic invariance of system call sequences.
- Taint-based analyses.
- Semantic clones.
Dynamic Analysis:
- Virtualization- semantic gap.
- Reverse engineering.
- Hybridisation with static analysis.
Similarity metrics:
- (Kolmogorov Complexity.)
- Association metrics.
- Other entropy-based metrics.
NLP based approaches. Problems in large scale classification:
- Scalability.
- Triage methods.
- Required FP rate.
Hiding:
- Polymorphism. compression, encryption, virtualization.
- Metamorphism. high level code obfuscation engines, on-board metamorphic engines, semantics-preserving rewritings.
- Frankenstein.
The theory of malware:
- Rice’s theorem and the undecidability of semantic equivalence.
- Adleman’s proof of the undecidability of the presence of a virus.
- Cohen’s experiments on detectability and self-obfuscation.
Requisites:
To be eligible to select this module as optional or elective, a student must: (1) be registered on a programme and year of study for which it is a formally available; and (2) have taken modules in logic and discrete mathematics, assembly, and imperative programming at FHEQ level 4 or higher.
Module deliveries for 2024/25 academic year
Last updated
This module description was last updated on 19th August 2024.
Ìý