2LR proposes to develop a malicious source code scanner that can flag sections of potentially `bad' source code that is vulnerable to exploitation or may contain latent malicious content. This effort will evaluate and compare current methods for detecting malicious code with a novel method based on code-logic signature analysis and discrimination. It will develop pattern classes that are associated with patterns of logic instructions present within actual malcode specimens. We expect malcode control flow logic patterns to cluster in `pattern space' (i.e. revealing code logic pedigrees). This is because specific algorithmic logic must be used to effect specific behaviors. Specific exploits are achieved by specific behaviors. The logic that codes malicious (exploitive) behavior becomes the signature. If a group of malware specimens all use the same exploitive behavior, their signatures will all have similar traits. In some sense, this is akin to DNA patterns and how they also cluster for different pedigrees
