By Douglas C. Schmidt
part of an ongoing effort to keep you informed about our latest work, I
would like to let you know about some recently published SEI technical
reports and notes. These reports highlight the latest work of SEI
technologists in quantifying expert judgment, insider threat, detecting and preventing data exfiltration, and developing a common vocabulary for malware analysts.
This post includes a listing of each report, author(s), and links where
the published reports can be accessed on the SEI website.
By Sagar Chaki,
Senior Member of the Technical Staff
Research, Technology & System Solutions
malicious program disrupts computer operations, gains access to private
computational resources, or collects sensitive information. In February
2012, nearly 300 million malicious programs were detected, according to
a report compiled by SECURELIST.
To help organizations protect against malware, I and other researchers
at the SEI have focused our efforts on trying to determine the origin of
the malware. In particular, I’ve recently worked with my colleagues—Arie Gurfinkel, who works with me in the SEI’s Research, Technology, & System Solutions Program, and Cory Cohen, a malware analyst with the CERT Program—to
use the semantics of programming languages to determine the origin of
malware. This blog post describes our exploratory research to derive
precise and timely actionable intelligence to understand and respond to
By David French
Senior Malware Researcher
In previous blog posts,
I have written about applying similarity measures to malicious code to
identify related files and reduce analysis expense. Another way to
observe similarity in malicious code is to leverage analyst insights by
identifying files that possess some property in common with a particular
file of interest. One way to do this is by using YARA,
an open-source project that helps researchers identify and classify
malware. YARA has gained enormous popularity in recent years as a way
for malware researchers and network defenders to communicate their
knowledge about malicious files, from identifiers for specific families
to signatures capturing common tools, techniques, and procedures (TTPs).
This blog post provides guidelines for using YARA effectively, focusing
on selection of objective criteria derived from malware, the type of
criteria most useful in identifying related malware (including strings,
resources, and functions), and guidelines for creating YARA signatures
using these criteria.
By Will Casey
Through our work in cyber security, we have amassed millions of pieces of malicious software in a large malware database called the CERT Artifact Catalog.
Analyzing this code manually for potential similarities and to identify
malware provenance is a painstaking process. This blog post follows up
our earlier post to explore how to create effective and efficient tools
that analysis can use to identify malware.
Acquisition , Acquisition Dynamics , Agile , Architecture Documentation , Architecture Driven Design (ADD) , Binaries , Cyber-physical Systems , Fuzzy Hashing , Handheld Devices , Malware , Measurement & Analysis , Resilience Management Model (RMM) , Safety-Related Requirements , Security-Related Requirements , SEI Research , Software Cost Estimates , Team Software Process (TSP) , Technical Debt
By Douglas C. Schmidt
Chief Technology Officer
A key mission of the SEI is to advance the practice of software engineering and cyber security through research and technology transition
to ensure the development and operation of software-reliant Department
of Defense (DoD) systems with predictable and improved quality,
schedule, and cost. To achieve this mission, the SEI conducts research
and development (R&D) activities involving the DoD, federal
agencies, industry, and academia. One of my initial blog postings
summarized the new and upcoming R&D activities
we had planned for 2011. Now that the year is nearly over, this blog
posting presents some of the many R&D accomplishments we completed