(depscor Fy09) Obfuscation and Deobfuscation of Intent of Computer Programs Fa9550-09-1-0715 Arun Lakhotia

This research aimed at developing a theoretical framework to predict the next obfuscation (or deobfuscation) move of the adversary, with the intent of making cyber defense proactive. More specifically, the goal was to understand the relationship between obfuscation and deobfuscation techniques employed in malware offense and defense. The strategy was to build upon previous work of Giacobazzi and Dalla Preda on modeling obfuscation and deobfuscation as abstract interpretations. It furthers that effort by developing an analytical model of the best obfuscation with respect to a deobfuscator. In addition, this research aimed at developing cost models for obfuscation and deobfuscations. The key findings of this research include: a theoretical model of computing the best obfuscation for a deobfuscator, a method for context-sensitive analysis of obfuscated code, a method for learning obfuscation transformations used by a metamorphic engine, several insights into the use of machine learning in deobfuscation, and game-theoretic models of certain scenarios of offense-defense games in software protection.