Statistical Qualification of an Existing Industry-held “Malware” Feature Set

ParetoLogic Inc is a Victoria, BC-based software company which develops anti-spyware solutions. Maintaining the accuracy and completeness of their products’ spyware detection capabilities is a key business need in the competitive anti-spyware marketplace. Currently, maintaining the requisite spyware signature database is a human-intensive effort, relying on highly-skilled personnel to both collect and analyze potentially malicious code. With the continued growth and expansion of spyware technologies and approaches relying solely on human efforts to perform these tasks is seen as untenable from a business perspective. Hence, ParetoLogic Inc. has embarked on a project to automate significant portions of the code collection and adjudication processes required to maintain the completeness and accuracy of the spyware detection database. To this end, ParetoLogic has recorded run-time “features” exhibited by 2,000 collected real-world spyware examples. The company wishes to formally statistically qualify the “quality” of the chosen features with respect to their ability to a) differentiate spyware (and more generally, malware) from benign code examples, and b) to differentiate classes of malware between each other. Additionally, the company wishes to identify possible “patterns” within the feature data which are indicative of malware or malware classes. Thus, the purpose of this internship is to perform this formal, statistical qualification and pattern identification work.

Faculty Supervisor:

Dr. Stephen Neville

Student:

Mohammed El Gamal

Partner:

ParetoLogic Inc.

Discipline:

Engineering

Sector:

Information and communications technologies

University:

University of Victoria