Abstract

Malicious code detection is a critical part of any cyber security operation. Typically, the behavior of normal applications is modeled so that deviations from normal behavior can be identified. There are multiple approach to modeling good behavior but the most common approach is to observe applications’ system call activity. System calls are messages passed between user space applications and their underlying operating systems. The detection of irregular system call activity signals the presence of malicious software behavior. This method of malware-detection has been used successfully for almost two decades. Unfortunately, it can be difficult to cover this concept at the right level of detail for undergraduate information systems students. Some instructors provide only superfluous descriptions of malware, others delve into in-depth reviews of application code. This paper advocates an approach which teaches the fundamentals of code analysis to non-programmers. The approaches integrates visualization tools such as flame graphs to help students interpret software behavior. It has been found to be especially valuable for upper division information systems courses on cyber security.

 

Teaching Static Call Analysis to Detect Anomalous Software Behavior

Malicious code detection is a critical part of any cyber security operation. Typically, the behavior of normal applications is modeled so that deviations from normal behavior can be identified. There are multiple approach to modeling good behavior but the most common approach is to observe applications’ system call activity. System calls are messages passed between user space applications and their underlying operating systems. The detection of irregular system call activity signals the presence of malicious software behavior. This method of malware-detection has been used successfully for almost two decades. Unfortunately, it can be difficult to cover this concept at the right level of detail for undergraduate information systems students. Some instructors provide only superfluous descriptions of malware, others delve into in-depth reviews of application code. This paper advocates an approach which teaches the fundamentals of code analysis to non-programmers. The approaches integrates visualization tools such as flame graphs to help students interpret software behavior. It has been found to be especially valuable for upper division information systems courses on cyber security.

 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.