A few weeks ago we attended the 14th Recent Advances in Intrusion Detection (RAID) Symposium in Menlo Park, California. The conference was held at SRI International and featured 20 talks about malware, application security, anomaly detection and network security.

Our group presented three papers: Yanick talked about Shellzer, a tool for the dynamic analysis of malicious shellcode, which will soon be integrated with Wepawet. Bob presented Dymo, a system that provides a dynamic code identity primitive that tracks the run-time integrity of a process and can also produce labels for network packets to distinguish between legitimate and malicious network activity.

I talked about Disarm, which I developed together with Paolo and Clemens for my Master degree at the Vienna University of Technology. Operating the dynamic malware analysis sandbox Anubis we are very interested in detecting environment-sensitive malware that is capable of fingerprinting Anubis and evading the analysis. Disarm therefore automates the screening of malware samples for evasive behavior and helped us discover several evasion techniques used by malware against Anubis (and also other dynamic analysis sandboxes).

I was pleased with the positive feedback and interest in our work and thoroughly enjoyed the conference, especially meeting colleagues from UCSB and the Institute Eurécom and other experts from the security community.