funded by

Home · Papers · Participants · Software · Theses


The goal of the modus operandi project is to identify software based on some of its essential characteristics. These characteristics are determined by automated inspection of previous versions of the software. New versions may have distinctly different code, but we believe will retain these essential characteristics if they are to accomplish the same function as in previous versions. Methods of both static and dynamic analysis are useful for this purpose.

There are several applications for this. Our primary interest is identification of malware (computer worms and viruses). The first line of defense against malware has been signature checkers, which recognize specific instructions or data in the malicious code. Signatures generally have to be manually identified. Worse than this, the creators of malware have invented ways to mutate their code to diminish the utility of fixed signatures. However, some things are hard to change, including how you program certain key tasks.

Hence, the name modus operandi, which denotes the characteristic way in which criminals prepare for and commit crimes. Such characteristics are often used to solve and prosecute crimes after they are committed, but in our case, we seek to prevent the infection of a computer by malicious code. The method of detection has to be hard to bypass, automated (not requiring manual direction or inspection), and very fast, as users won't tolerate a substantial slowdown of their computer's performance, or noticeable delays in interactivity.

Vulnerabilities in software have been exploited for many years to gain access to computer systems and information resources. Defensive techniques are known, but clearly the lessons about software vulnerabilities and how to minimize or eliminate them during design, implementation, and maintenance of software are not being taught effectively to computer science and engineering students. This project is therefore also concerned with teaching students about software vulnerabilities and their prevention. Courseware and tools are being developed and/or adapted for this purpose.

The support of the National Science Foundation for this project is gratefully acknowledged, under the Cybertrust Program of CNS, award number 0627505 entitled "CT-ER: Metamorphic Worm Detection", and award number 0831081 entitled "Origin of the Code: Automated Identification of Common Characteristics in Malware".


Douglas S. Reeves · Department of Computer Science · NC State University

Last modified on Friday, 19-Oct-2012 13:14:59 EDT
Send comments to: web page maintainer
designed with