Presentation is loading. Please wait.

Presentation is loading. Please wait.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science."— Presentation transcript:

1 Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science North Carolina State University NICIAR PI Meeting, Washington, DC, September 24, 2008

2  One-sentence summary: Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection Process Coloring (PC) Overview

3 httpd s80httpdrcinit s45named s30sendmail s55sshd s80httpd s30sendmail s45named s55sshd /bin/sh wget Rootkit Local files netcat /etc/shadow Confidential Info /etc/shadow Confidential Info Initial coloring Coloring diffusion Syscall Log Capability 3: Color-based log partition for contamination analysis Capability 3: Color-based log partition for contamination analysis PC Usage Scenario: Server-Side Malware Attack Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 2: Color-based identification of malware break-in point Capability 2: Color-based identification of malware break-in point Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html

4 firefox notepad turbotax warcraft Web Browser Tax Editor Games Agobot Tax files PC Usage Scenario: Client-Side Malware Attack Agobot www.malicious.net PC malware alert “Web browser and tax colors should never mix” PC malware alert “Web browser and tax colors should never mix” Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi

5 Heilmeier Question 1: What are you trying to do?  Tracking and logging OS-level information flows  Being extended to both OS and language levels (“PC+DDFA”)  Tainting processes and data with provenance information (“colors”) for  Detecting and investigating malware activities  Enforcing sensitive data protection policies  Using virtualization for stronger tamper-resistance

6 Heilmeier Question 2: How is it done now?  Information flow tracking at multiple levels  OS level  Only considering direct causality in each system call  No provenance (“color”) tainting and propagation  Language level  Only tracking information Flow within a program  No information flow tracking across programs  Instruction level  Difficult to understand attack semantics  Significant runtime performance overhead

7 Heilmeier Question 3: What’s new and why will it succeed?  What’s new?  Color-based malware alert and sensitive data protection  Supporting on-line detection and off-line forensics  One of the first to combine OS and language-level information flows  Why will it succeed?  Practical, deployable system based on classic theory  Running prototype showing effectiveness and practicality  Attracting external interests (SwRI, Lockheed Martin)

8 Heilmeier Question 4: If successful, what difference will it make?  A system-level framework for attack/violation detection, investigation and recovery  Specification and enforcement of color-based policies for malware alert and data protection  Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

9  Timeline Heilmeier Question 5: Your timeline, cost and success metrics? 6/200712/076/0812/08 - Basic PC prototype for server-side operation - PC prototype for client- side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - PC prototype for client- side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration - Recovery and replay - PC across machines - Data lifetime analysis for data theft defense - Recovery and replay - PC across machines - Data lifetime analysis for data theft defense

10 Summary of Achievement (Since April)  Improved sink insulation implementation  Cleaned up log management and visualization  Set up “living lab” client VM for evaluation  Performed benchmark evaluation of PC  Started technology transfer activities  Completed preliminary design and prototype for “PC+DDFA”  Joint presentation in a moment

11 “Living Lab” VM: End User’s View

12 “Living Lab” VM: Administrator’s View

13 Evaluation Metrics – Efficiency

14 Evaluation with Malware (Agobot, PUD bot…)

15 APPROACH Track OS-level information flows Taint processes/data based on their influence between each other Record color(s) in log entries Integrate with intra-process DDFA PLAN / PROGRESS Model process color diffusion in real OS (done) Demonstrate PC prototype in a malware scenario  Includes both server (done) and client (done) side solutions Mitigate color saturation effect in malware alert  Profiling and visualization (done)  Reducing false positives caused by legitimate color mixing (done)  Proof-of-concept demo of “PC+DDFA” (Dec.08) Evaluate PC in “living lab” VMs (July.08 – Dec.08) Process Coloring (PC) For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach LSSD NEW CAPABILITIES Color-based malware alert Color-based malware break-in point identification Color-based log partitioning APPLICATIONS System monitoring and malware (e.g. bots) detection Malware forensics Sensitive data protection

16 Thank you! For more information about the Process Coloring project: http://friends.cs.purdue.edu/projects/pc PC@cs.purdue.edu

Download ppt "Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science."

Similar presentations

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Call Center Call Center on a Stick Ceedo for Call Center Presentation.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Call Center Call Center on a Stick Ceedo for Call Center Presentation.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Private Cloud or Dedicated Hosts Mason Mabardy & Matt Maples.

Private Cloud or Dedicated Hosts Mason Mabardy & Matt Maples.
WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Graduate Programs in Computer Science Design of cyber security awareness game utilizing a social media framework WA Labuschagne.

Graduate Programs in Computer Science Design of cyber security awareness game utilizing a social media framework WA Labuschagne.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Similar presentations

Ads by Google