Evaluation de performance des maliciels

Malicious software, also called malware, is a program category created with malicious intents. These programs are widely used on the Internet and their effectiveness at stealing money from users is on the rise. The creation and behaviour of malware is not magic. These programs are created by humans and are used to reach objectives that range from fame and glory to financial fraud and money laundering. With the general adoption of electronic commerce, it is now possible to acquire huge amounts of money by performing frauds with malware. Some expert say that the potential gains from malware operations is presently greater than potential gains from trafficking heroin!; Research groups and companies have showed interest for the problem of malware and put forward interesting counter-measures. The downside of these counter-measures is that they are not suited to face the evolution of malware. Most of the defensive systems we use today work well against known threats but are often unable to detect unknown danger and protect the users. The trust in detection and protection systems is also impacted negatively by their high rate of false positive alarms.; This document presents research aimed towards the comprehension of threats posed by malware and the prediction of their evolution. To understand the evolution of malware, we propose a list of objectives malicious programmers are trying to reach when creating malicious software. In addition to the objectives, we present a list of performance criteria that can be observed to evaluate the effectiveness with which a malware reaches its objectives.; Malware performance does not only depend on their performance criteria. The performance of malicious software is also influenced by its characteristics and by the environment in which it operates. We present a three factors model we created to express the relation between performance criteria, environment and malware characteristics. Furthermore, we created a second model to express the characteristics of malware based on the OODA loop. The OODA loop model divides malware characteristics in four phases: observation; orientation, decision and action.; We use the OODA loop to study the relation between the performance, environment and characteristic of a malware with a concrete example. Our example involves a malware epidemic within a network where filtering is enforced between subnets. We put forward a mathematical model based on Markov processes to show that network filtering has influence on the spreading speed of malware.; To validate our mathematical model, we developed a malware emulation framework (MEF). This framework lets researchers create emulation agents that can be used to emulate the behaviour of malware inside a computer network. The emulation agents are self replicating Ruby scripts loaded with monitoring and security features in order to perform secure and precise experiments. We used our framework to generate three scenarios where agents would propagate inside a network composed of thirty systems and where we could easily monitor their speed of propagation. The first scenario involves a network of thirty machines without any network filtering. The second scenario was performed using two separate networks with one system connected to both. Finally, the third scenario was done with two networks and four interconnected systems.; The experimental results showed in this document are only part of the contributions of our researches. The expression of malware characteristics with the OODA loop leads us to the conclusion that certain phases of malware behaviour are not at their best. The phases that lack development are the orientation and decision process. This conclusion leads us to believe that we should prepare for more "intelligent" malware in the near future. The practical experiments we have conducted is valuable to the research community because it proves that the OODA loop model works since our agents are modelled using this con...