Address Space Dynamics
In Physics, we can use the laws of motion, or the Lagrange equation, to describe the trajectory of an object in a system. An object is described by a state vector–a list of orthogonal dimensions. We can think of a process as a trajectory through a state space. The dimensions are given by the bits of memory, the registers, and the internal state of hardware. Thinking about processes this way allows us to formulate methods to understand their execution externally. Obviously a program's execution is determined by its code, but if this code is not available, we can use observations of its state at discrete points in time and space to glean information about it, for example by feeding a feature vector into an recurrent neural network to predict the next state. We can also use this information to visualize a process over time (e.g. using FFTs and dimensionality reduction techniques) or generate program fingerprints for classification and computation of similarity metrics.
We are currently using these techniques for low-latency malware classification.