Multi-variant execution to protect unpatched software

For a variety of economic and practical reasons, security patches often cannot be deployed immediately after a patch's release. To mitigate attacks against unpatched software, we present the design and evaluation of a Moving Target technique that uses a form of software diversity called multi-variant execution. Our technique decomposes the software's behavior into its low-level system calls and compares unpatched and patched execution traces to identify malicious behavior in the unpatched software. We evaluate our approach on benign and malicious document samples and our results indicate that multi-variant execution can detect real exploits with low false positives.