Presentation is loading. Please wait.

Presentation is loading. Please wait.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science."— Presentation transcript:

1 Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Information and Software Engineering George Mason University NICIAR PI Meeting, Boston, MA, September 19, 2007

2 Motivation  Internet malware remains a top threat  Malware: virus, worms, rootkits, spyware, bots…

3 Motivation

4 The Challenge: Enabling Timely, Efficient Malware Investigation  Raising timely alerts to trigger a malware investigation  Identifying the break-in point of the malware  Reconstructing all contaminations by the malware Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection State-of-the-art log-based intrusion investigation tools Log

5 Limitations of Today’s Tools  Long “infection-to-detection” interval  Entire log needed for both trace-back and reconstruction  Questionable trustworthiness of log data Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection State-of-the-art log-based intrusion investigation tools Log

6 Technical Approach: Process Coloring  Key idea: propagating and logging malware break-in provenance information (“colors”) along OS-level information flows  Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Runtime alert triggered by log color anomalies Apache SendmailDNSMySQL Logger Guest OS Virtual Machine Monitor (VMM) Log Monitor Virtual Machine Attacker … Log

7 httpd New Capabilities Enabled by Process Coloring s80httpdrcinit s45named s30sendmail s55sshd s80httpd s30sendmail s45named s55sshd /bin/sh wget Rootkit Local files netcat /etc/shado w Confidential Info /etc/shado w Confidential Info Initial coloring Coloring diffusion Syscall Log Capability 3: Color-based log partition for contamination analysis Capability 2: Color-based identification of malware break-in point Capability 1: Color-based malware warning

8 ... BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5 BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) = 1073868800 BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25 BLUE: 673["sendmail"]: 6_close(5) = 0 BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0... RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5 RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11 RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40 RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090 … RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21 RED: 2568["httpd"]: 63_dup2(5, 2) = 2 RED: 2568["httpd"]: 63_dup2(5, 1) = 1 RED: 2568["httpd"]: 63_dup2(5, 0) = 0 RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000) RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2 RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6 Color-Based Malware Warning Capability 1: Color-based malware warning: “unusual color inheritance”

9 Color-Based Malware Warning  Another example: “ color mixing ” RED: 1234 ["httpd"]: … RED+BLUE: 1234 ["httpd"]: system call to read file index.html cp defaced.html index.html bind httpd index.html httpd

10 Efficiency through Process Coloring LionSlapperSARS Time period being analyzed 24 hours # worm- related entries 66,504195,88419,494 Exploited Service BIND (CVE-2001-0010) Apache (CAN-2002-0656) Samba (CAN-2003-0085) % of Log Inspected 48.7%65.9%12.1% Capability 2: Color-based break-in point identification Capability 2: Color-based break-in point identification Capability 3: Color-based log partitioning Capability 3: Color-based log partitioning

11 Impact of Success  How will it benefit the NIC?  Accountability of NIC cyber infrastructure  Readiness against current and emerging malware threats (e.g., botnets, rootkits, spyware) to NIC  Protection of NIC critical data, information, and computation activities  Reduction of NIC human labor in malware investigation

12 Evaluation Metrics  Timeliness  Malware infection-to-warning interval  Efficiency  Percentage of log reduction for malware contamination reconstruction  Accuracy  False positive rate of malware warning  False negative rate of malware warning  Correctness of malware action graphs

13 Work in Progress: Color Diffusion Modeling (Month 1-6)  Color Diffusion Model OperationDiffusion syscalls CREATE create color(o 1 ) = color(s 1 ) color(s 2 ) = color(s 1 ) create, mkdir, link fork, vfork, clone READ read color(s 1 ) = color(s 1 ) υ color(o 1 ) color(s 1 ) = color(s 1 ) υ color(s 2 ) read, readv, recv ptrace WRITE write color(o 1 ) = color(s 1 ) υ color(o 1 ) color(s 2 ) = color(s 1 ) υ color(s 2 ) write, writev, send Ptrace, wait, signal DESTROY destroy unlink, rmdir, close exit, kill Object and process relationships in Linux analyzed.

14 Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18)  Server-side malware investigation  Consolidated server environment with independent server applications  “Clustered” information flows partitioned by server applications  Color mixing highly unlikely between applications  Client-side malware investigation  Inter-dependent client applications (e.g., text editor  compiler; latex  dvips  ps2pdf)  More inter-application information flows  Legal color mixing exists Color diffusion and logging implemented on Xen. A demo is on-line at: http://cairo.cs.purdue.edu/projects/pc/pc-demo.html

15  A motivating example of client-side process coloring Work in Progress: Process Coloring for Client and Server Side Malware Investigation (Month 2-18) FTP Quick Tax Time Quick Tax FTP + A number of client-side applications are being tested (e.g., Skype, Firefox).

16 Technology Transfer Plan  Potential adopters  Computer forensics/malware investigators and researchers  System administrators  Anti-malware software companies  Open source communities (e.g., XenSource)  Software release and documentation  Presentations and demos to potential NIC adopters  Presentations and demos to anti-malware software companies (Symantec, Microsoft, VMware)

17 Thank you! For more information about the Process Coloring project: http://cairo.cs.purdue.edu/projects/pc PC@cs.purdue.edu

Download ppt "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science."

Similar presentations

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Backtracking Intrusions Sam King & Peter Chen CoVirt Project, University of Michigan Presented by:
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
How You Can Protect Yourself from Cyber-Attacks Ian G. Harris Department of Computer Science University of California Irvine Irvine, CA 92697 USA

How You Can Protect Yourself from Cyber-Attacks Ian G. Harris Department of Computer Science University of California Irvine Irvine, CA USA
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Microsoft Internet Safety Enforcement: A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission it is to make.

Microsoft Internet Safety Enforcement: A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission it is to make.

Similar presentations

Ads by Google