Lessons learned in Behavioral Detection of Malicious Code

Dr. Richard Ford
Florida Institute of Technology

Malicious Code represents a significant challenge to computer security; both home users’ and corporations’ machines are often overrun with viruses, worms and spyware. Furthermore, the ability for worms to become pandemic within minutes of initial release making reactive detection methods impractical and ineffective. Due to these challenges, much recent research has focused on behavioral (i.e. runtime) detection techniques. This talk provides insight into our own experience with behavioral malcode detection in Windows using API interception and undo technologies. Furthermore, it outlines both the strengths and weaknesses of the technique, and explores how these techniques could be extended to handle an ever-changing threat.


Dr. Richard Ford graduated from the University of Oxford in 1992 with a D.Phil. in Quantum Physics. Since that time, he has worked extensively in the area of computer security and malicious mobile code detection and prevention. Previous projects include work on the Computer Virus Digital Immune System at IBM Research, and development of the world’s largest web hosting system whilst Director of Engineering at Verio.Ford is currently an Associate Professor at the Florida Institute of Technology’s Center for Security Science, and Acting Director of the Institute for Computing and Information Systems. His research interests include Malicious Mobile Code, Behavioral Worm Prevention, Security Metrics and Computer Forensics. Ford is currently Executive Editor of Reed-Elsevier’s Computers & Security, and Virus Bulletin. He is also Scientific Advisor to the European Institute of Computer Antivirus Research.  When not working on Computer Security, Dr. Ford plays Jazz Flute, writes and arranges music, and fishes (with highly variable success). He lives in sunny Florida with his wife, Sarah, who is also an expert in computer security.