FPGA-based static analysis tool for detecting malicious binaries

The detection of malicious files is an important component of any intrusion detection system. Due to increases in network speeds and new worms being discovered frequently, there arises a need to detect worms on the fly without totally relying on signatures. There are methods available for detecting malicious files by looking into the dynamic behavior of the files. However, in most of these cases the file has to be either run in a dynamic environment or has to be disassembled to look at its content. We present here a novel method to look at the files without the need of executing or disassembling them. We also provide a framework that implements our method on Field Programmable Gate Arrays (FPGAs). We use a novel approach to identify byte-patterns that can be used to do static analysis of binaries. Our FPGA implementation can detect worms at multi-gigabit rates and also provides us with a tool that can help us carry out systematic, real time analysis and detection of malicious binaries.