DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SNPD.2007.417
Ruo Ando , National Institute of Information and Communication Technology, Japan
As malicious code has become more sophisticated and pervasive, faster and more effective system for forensics and prevention is important. Particularly, quick analysis of polymorphic (partly encrypted) viral code is necessary. In this paper we propose a parallel analysis of polymorphic viral code using automated deduction system. In proposed system, decipher routine and its parameters are detected by parallelized automated theorem proving. We apply the weighting and look-ahead heuristics for parallel analysis. We run several detection programs with different computing strategies for analyzing target viral binary code. When the fastest detection process is finished with computing time T(0), remaining detection processes with T(1..n) can be terminated in T(0). In experiment, computing time for detection is reduced with average rate about 46%. In about a half of all cases, T (0) * 3 \leqslant T(max) where T(max) is computing time without our strategy. That is, our parallel system makes detection program faster without appending hardware computing resources. Our system is lightweight and effective for reverse engineering and computer forensics.