Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Slides:



Advertisements
Similar presentations
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Advertisements

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Purdue University Pag. 1 CS 397 Dongyan Xu Department of Computer Science and CERIAS Purdue University Office:
Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Backtracking Intrusions Sam King Peter Chen CoVirt Project, University of Michigan.
電腦攻擊與防禦 The Attack and Defense of Computers CEA036許富皓.
VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.
電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.
IBM Security Network Protection (XGS)
電腦攻擊與防禦 The Attack and Defense of Computers CE6107許富皓.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
Malware Adware Removal Best Free Malware Virus Protection Best Free Malware Adware Removal Service Best free Anti Spyware Removal Service Best free Trojan.
The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
State Data Center Oregon Consumer Identity Theft Protection Act Information Forum October 31, 2007.
Secure Operating Stuff Lesson “like” 7 (a): Virtualization.
Senior Project Ideas: Blind Communication & Internet Measurements Mehmet H. Gunes.
An Analysis of Location-Hiding Using Overlay Networks Ju Wang and Andrew A. Chien Department of Computer Science and Engineering, University of California.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006.
“Trusted Passages”: Meeting Trust Needs of Distributed Applications Mustaque Ahamad, Greg Eisenhauer, Jiantao Kong, Wenke Lee, Bryan Payne and Karsten.
Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Cyber Security, Internet, and Wireless Networks Shigang Chen, Associate Professor Dept of Computer & Information Science & Engineering University of Florida.
Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
1 Introduction SEARCH-LAB Ltd.. 2 Introduction of SEARCH-LAB SEARCH Laboratory established at the Budapest University of Technology in 1999 SEARCH-LAB.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Business Technology Applications What is Malware.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
VMM Based Rootkit Detection on Android
Safe’n’Sec complex solutions for home PCs protection.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Volunteer-based Monitoring System Min Gyung Kang KAIST.
SECURITY IN MOBILE NETWORKS Bharat Bhargava CERIAS and Computer Sciences Departments Purdue University, W. Lafayette, IN Supported.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.
Models of Models: Digital Forensics and Domain-Specific Languages
TCSEC: The Orange Book.
NICIAR Local Site Visit
Eugene Spafford, Dongyan Xu, Ryan Riley
Evaluating a Real-time Anomaly-based IDS
Unit 32 – Networked Systems Security
Backtracking Intrusions
Backtracking Intrusions
By Dunlap, King, Cinar, Basrai, Chen
Internet Worms, SYN DOS attack
Chapter # 3 COMPUTER AND INTERNET CRIME
Presentation transcript:

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Information and Software Engineering George Mason University NICECAP Kickoff Meeting, Chantilly, VA

Motivation  Internet malware remains a top threat  Malware: virus, worms, rootkits, spyware, botware…

Malware Investigation Tasks  Raising timely alert to trigger a malware investigation  Identifying the break-in point of the malware  Reconstructing all contaminations by the malware Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools (e.g., BackTracker, Taser) Log

Limitations of Existing Tools  Long “infection-to-detection” interval  Entire log needed for both trace-back and reconstruction  Questionable trustworthiness of log data Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools Log

Our Approach - Process Coloring  Key idea: propagating malware break-in provenance information (“colors”) along OS-level information flows  Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Runtime alert triggered by log color anomalies Apache SendmailDNSMySQL Logger Guest OS Virtual Machine Monitor (VMM) Log Monitor Virtual Machine Attacker … Log

New Capabilities of Process Coloring  Color-based runtime alert (vs. external detection point)  Color-based break-in point identification (vs. back-tracking)  Color-based log partitioning (vs. entire log) for reconstruction Time Infection Break-in point Detection Contamination reconstruction

Evaluation Plan Front-endBack-end vGround Playground Collapsar Honeyfarm ObservationCapture  Success metrics:  Timeliness (shorter “infection- to-detection” interval)  Efficiency (smaller input size for contamination reconstruction)  Accuracy (correct, complete account of attack)  A virtualization-based malware experiment platform  A real-world virtualization-based cyberinfrastructure: nanoHUB Contact:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.