Malware Analysis and Intrusion Detection Christian Rossow

News

12.12.2018

MAID News

Please note a few things:

  • The PCAP for MAID Challenge #3 is now available.
  • Tomorrow will include a hands-on session to introduce IDA. If you can, please bring a laptop with IDA (https://www.hex-rays.com/products/ida/support/download_freeware.shtml) and the... Read more

Please note a few things:

  • The PCAP for MAID Challenge #3 is now available.
  • Tomorrow will include a hands-on session to introduce IDA. If you can, please bring a laptop with IDA (https://www.hex-rays.com/products/ida/support/download_freeware.shtml) and the IDA-demo binary (see Materials section in CMS). Unfortunately we won't have room capacities to offer you workstations; we'll aim to arrange partner work tomorrow in case you lack your own laptop.
  • Some of you wondered what to do in case of questions about the projects. Note that it is fully OK if you discuss questions among each other, unless you reveal solutions to others; this includes posting non-sensitive questions to Askbot. In case of doubt, or in case you have a critical question that reveals part of the solution, please send me an email directly (rossow@cispa.saarland). Note that your tutor has to solve the challenges himself and thus won't be able to help you out.
10.12.2018

MAID Challenges Are Live

Alice,

Get your VPN started and let the show begin! http://10.8.0.1/

Good luck,

Bernd

PS: The PCAP that is required to solve challenge #3 will be released latest by the end of this week. In the meanwhile: happy reversing.

10.12.2018

MAID Lecture and Tutorials on Thu Dec 13

We will have a final MAID lecture on Thu, Dec 13. It will be very hands-on, giving you a quick demo how to use a disassembler. Furthermore, we will hand out the course evaluation forms. And: We will have tutorials as usual, discussing two exercise sheets on Control... Read more

We will have a final MAID lecture on Thu, Dec 13. It will be very hands-on, giving you a quick demo how to use a disassembler. Furthermore, we will hand out the course evaluation forms. And: We will have tutorials as usual, discussing two exercise sheets on Control Flow Graphs and Code Optimizations (see CMS).

07.11.2018

MAID Lecture Nov 8 at 10:00 s.t. (sharp)

Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon.

The exercise sessions will start tomorrow in the following rooms:

  • Thu 12:30-14:00: SR 007 in E2 1... Read more

Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon.

The exercise sessions will start tomorrow in the following rooms:

  • Thu 12:30-14:00: SR 007 in E2 1 (Bioinformatics building)
  • Thu 14:15-16:00: SR 015 in E1 3 (CS building)

The first exercise sheet is available in CMS. We will do this sheet live during the tutorials. There is no need for any preparations other than a recap what was discussed in the lectures.

30.10.2018

MAID Lecture Wed 31.10. (Tomorrow) 10-12

This is a gentle reminder for the out-of-band MAID lecture that we will have tomorrow, Wed 31.10. 10-12 in HS001. We will be back to normal schedule starting next week. Tutorials will start next week, too.

22.10.2018

Tutorial Slots Assigned

We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from... Read more

We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from 11:30-12:30.

There is no need to prepare anything for most tutorials. We will hand out exercises in the tutorial session, and solve them live.

21.10.2018

Change of Schedule for Next Two Lectures

As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12... Read more

As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12 starting Nov 8.

Gentle reminder: You can choose your tutorial preferences until tonight (23:59).

18.10.2018

Select your tutorial preferences

We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):

  • Wed 10-12
  • Thu 12-14 (incl. lunch break: lecture would be 10:00-11:30, and exercises from 12:30-14:00)
  • Thu 14-16

Please select your availability in... Read more

We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):

  • Wed 10-12
  • Thu 12-14 (incl. lunch break: lecture would be 10:00-11:30, and exercises from 12:30-14:00)
  • Thu 14-16

Please select your availability in CMS by Sunday: https://cms.cispa.saarland/maid1819/

Note: It'll be tough to find a good time slot, so please specify as many slots as you can to enable a good (and solvable) assignment.

In CMS, you'll also be able to find the slides and (soon) exercise sheets.

17.10.2018

MAID starts on Thu 10:00

If you receive this email your registration to MAID was successful. We will welcome you on Thu 10am (c.t.) in HS001 (E1 3).

Show all
 

Malware Analysis and Intrusion Detection

MAID will basically teach you various skills that you require for reverse engineering malware, that is, understand its inner working without having access to its source code. We will dive deep into Intel x64 assembly (mostly 64-bit), look at how to understand the higher-level semantics of low-level assembly code, cover methodologies commonly found in malware (e.g., obfuscation, C&C communication), and learn various malware analysis techniques (e.g., control flow graphs, symbolic execution, dynamic analysis). While we will also cover intrusion detection, this topic will only be a small subpart of the entire lecture.

Register by Mon, Oct 15. Attendance is limited to 40 students. We will give preference to Master students and BSc students in their fifth (or higher) semester in case more than 50 students sign up. We will announce the final attendee list by Tue, Oct 16.

WARNING: If you search for an easy course, be advised and do not take this one. Despite the fact that we will have fewer lectures than an average advanced lecture, the course projects are serious work and significantly exceed small projects you may know from other lectures. We planned the project work specifically such you won’t feel bored over Christmas and in semester break in February. Reconsider attending if you take other intensive courses during the same semester. This warning is no bullshit: Previous editions have shown that only about 25% of the initial students will finish this lecture. But if you do, it will be super fun.

Timeline and Content

  • Thu 18.10.: Introduction + Assembly 101
  • Mon 22.10. 14:15-15:45: Assembly 101
  • Wed 31.10. 10:15-11:45: Assembly 101
  • Thu 08.11. 10:00 sharp: Assembly Data Structures
  • Thu 15.11. 10:00 s.t.: Control Flow Graphs, Code Optimizations + Dynamic Analysis
  • Thu 22.11. 10:00 s.t.: Obfuscation + Packing
  • Thu 29.11. 10:00 s.t.: Malware / Botnets
  • Thu 06.12. 10:00 s.t.: Intrusion Detection
  • Thu 13.12. 10:00 s.t.: IDA Hands-on Session


Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators