Presentation is loading. Please wait.

Presentation is loading. Please wait.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science."— Presentation transcript:

1 Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Information and Software Engineering George Mason University NICECAP Kickoff Meeting, Chantilly, VA

2 Motivation  Internet malware remains a top threat  Malware: virus, worms, rootkits, spyware, botware…

3 Malware Investigation Tasks  Raising timely alert to trigger a malware investigation  Identifying the break-in point of the malware  Reconstructing all contaminations by the malware Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools (e.g., BackTracker, Taser) Log

4 Limitations of Existing Tools  Long “infection-to-detection” interval  Entire log needed for both trace-back and reconstruction  Questionable trustworthiness of log data Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools Log

5 Our Approach - Process Coloring  Key idea: propagating malware break-in provenance information (“colors”) along OS-level information flows  Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Runtime alert triggered by log color anomalies Apache SendmailDNSMySQL Logger Guest OS Virtual Machine Monitor (VMM) Log Monitor Virtual Machine Attacker … Log

6 New Capabilities of Process Coloring  Color-based runtime alert (vs. external detection point)  Color-based break-in point identification (vs. back-tracking)  Color-based log partitioning (vs. entire log) for reconstruction Time Infection Break-in point Detection Contamination reconstruction

7 Evaluation Plan Front-endBack-end vGround Playground Collapsar Honeyfarm ObservationCapture  Success metrics:  Timeliness (shorter “infection- to-detection” interval)  Efficiency (smaller input size for contamination reconstruction)  Accuracy (correct, complete account of attack)  A virtualization-based malware experiment platform  A real-world virtualization-based cyberinfrastructure: nanoHUB http://www.nanohub.org Contact: PC@cs.purdue.edu

Download ppt "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science."

Similar presentations

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.

Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Purdue University Pag. 1 CS 397 Dongyan Xu Department of Computer Science and CERIAS Purdue University Office:

Purdue University Pag. 1 CS 397 Dongyan Xu Department of Computer Science and CERIAS Purdue University Office:
Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.

Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.

Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
電腦攻擊與防禦 The Attack and Defense of Computers CEA036許富皓.

電腦攻擊與防禦 The Attack and Defense of Computers CEA036許富皓.
VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.
電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.

電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.

電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Similar presentations

Ads by Google