Teaching Static Call Analysis to Detect Anomalous Software Behavior

Malicious code detection is a critical part of any cyber security operation. Typically, the behavior of normal applications is modeled so that deviations from normal behavior can be identified. There are multiple approach to modeling good behavior but the most common approach is to observe applications’ system call activity. System calls are messages passed between user space applications and their underlying operating systems. The detection of irregular system call activity signals the presence of malicious software behavior. This method of malware-detection has been used successfully for almost two decades. Unfortunately, it can be difficult to cover this concept at the right level of detail for undergraduate information systems students. Some instructors provide only superfluous descriptions of malware, others delve into in-depth reviews of application code. This paper advocates an approach which teaches the fundamentals of code analysis to nonprogrammers. The approaches integrates visualization tools such as flame graphs to help students interpret software behavior. It has been found to be especially valuable for upper division information systems courses on cyber security. Disciplines Curriculum and Instruction | Information Security | Management Information Systems | Technology and Innovation This event is available at DigitalCommons@Kennesaw State University: http://digitalcommons.kennesaw.edu/ccerp/2016/ Academic/1