Advertisement

Attribution of Malicious Behavior

  • Jonathon Giffin
  • Abhinav Srivastava
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)

Abstract

Internet-connected computer systems face ongoing software attacks. Existing defensive solutions, such as intrusion detection systems, rely on the ability to identify malicious software (malware) in order to prevent its installation. This approach remains imperfect, resulting in widespread, persistent malware infections, malicious execution, and transmission of undesirable Internet traffic. Over the past several years, we have begun to develop solutions that help computer systems automatically recover from unknown malicious software infections by identifying and disabling the software. Our work departs from previous malware analysis because it employs strict post-infection analysis matching real-world environments: it assumes that security monitoring does not exist during the critical malware installation time and identifies potentially malicious software infecting a system given only observations of the infected system’s execution. This paper reports on our progress attributing undesirable network behavior to malicious code and highlights upcoming research challenges we expect to face as we begin to automatically excise that code from infected systems.

Keywords

Virtual Machine Intrusion Detection System Malicious Code Malicious Behavior Malicious Software 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ammann, P., Jajodia, S., Liu, P.: Recovery from malicious transactions. IEEE Transactions on Knowledge and Data Engineering 14(5) (September/October 2002)Google Scholar
  2. 2.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY (October 2003)Google Scholar
  4. 4.
    Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2005)Google Scholar
  5. 5.
    Brumley, D., Song, D.: Privtrans: Automatically partitioning programs for privilege separation. In: USENIX Security, San Diego, California (August 2004)Google Scholar
  6. 6.
    Burdach, M.: Digital forensics of the physical memory. Whitepaper, Secure Network Systems, LLC (March 2005)Google Scholar
  7. 7.
    Carrier, B., Grand, J.: Hardware-based memory aquisition procedure for digital investigations. Journal of Digital Investigations 1(1) (2004)Google Scholar
  8. 8.
    Chakrabarti, A.: An introduction to Linux kernel backdoors, http://www.infosecwriters.com/hhworld/hh9/lvtes.txt (last accessed August 05, 2010)
  9. 9.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium, San Diego, California (August 2004)Google Scholar
  10. 10.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (October 2008)Google Scholar
  11. 11.
    Dolan-Gavitt, B.: The VAD tree: A process-eye view of physical memory. In: Digital Forensic Research Workshop (DFRWS), Pittsburgh, Pennsylvania (August 2007)Google Scholar
  12. 12.
    Dong, Y., Li, S., Mallick, A., Nakajima, J., Tian, K., Xu, X., Yang, F., Yu, W.: Extending Xen* with Intel Virtualization Technology. Intel Technology Journal 10(3) (August 2006)Google Scholar
  13. 13.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Operating Systems Design and Implementation (OSDI), Boston, Massachusetts (December 2002)Google Scholar
  14. 14.
    Elsaesser, C., Tanner, M.C.: Automated diagnosis for computer forensics. Tech. rep., The MITRE Corporation (September 2001)Google Scholar
  15. 15.
    Ford, B., Cox, R.: Vx32: Lightweight user-level sandboxing on the x86. In: USENIX Annual Technical Conference (ATC), Boston, Massachusetts (June 2008)Google Scholar
  16. 16.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, California (May 1996)Google Scholar
  17. 17.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2003)Google Scholar
  18. 18.
    Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)Google Scholar
  19. 19.
    Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)Google Scholar
  20. 20.
    Garnkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: ACM Symposium on Operating Systems Principles (SOSP), Bolton Landing, New York (October 2003)Google Scholar
  21. 21.
    Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, California (August 2002)Google Scholar
  22. 22.
    Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation Journal 1(2) (May 2004)Google Scholar
  23. 23.
    Goel, A., Feng, W.-c., Maier, D., Feng, W.-c., Walpole, J.: Forensix: A robust, high-performance reconstruction system. In: 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Columbus, Ohio (June 2005)Google Scholar
  24. 24.
    Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The Taser intrusion recovery system. In: 20th ACM Symposium on Operating System Principles (SOSP), Brighton, United Kingdom (October 2005)Google Scholar
  25. 25.
    Grizzard, J., Levine, J., Owen, H.: Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 369–384. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: 16th USENIX Security Symposium, Boston, Massachusetts (August 2007)Google Scholar
  27. 27.
    Jiang, X., Buchholz, F., Walters, A., Xu, D., Wang, Y., Spafford, E.H.: Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach. IEEE Transactions on Parallel and Distributed Systems 19(7) (July 2008)Google Scholar
  28. 28.
    Jiang, X., Walters, A., Buchholz, F., Xu, D., Wang, Y., Spafford, E.: Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems (ICDCS), Lisboa, Portugal (July 2006)Google Scholar
  29. 29.
    Jiang, X., Wang, X.: Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based ‘out-of-the-box’ semantic view. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)Google Scholar
  31. 31.
    Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM Workshop on Virtual Execution Environments (VEE), Seattle, Washington (March 2008)Google Scholar
  32. 32.
    Kasslin, K.: Evolution of kernel-mode malware, http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_kernel_mode_malware_v2.pdf (last accessed August 05, 2010)
  33. 33.
    Keromytis, A.D.: Characterizing self-healing software systems. In: 4th International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS), St. Petersburg, Russia (September 2007)Google Scholar
  34. 34.
    Kasslin, K.: Kernel malware: The attack from within, http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf (last accessed August 05, 2010)
  35. 35.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)Google Scholar
  36. 36.
    Kornblum, J.: Using every part of the buffalo in Windows memory analysis. Digital Investigation Journal (January 2007)Google Scholar
  37. 37.
    Liang, Z., Sekar, R., DuVarney, D.C.: Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems. In: USENIX Annual Technical Conference (ATC), Anaheim, California (April 2005)Google Scholar
  38. 38.
    Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, California (August 2008)Google Scholar
  39. 39.
    Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software self-healing using collaborative application communities. In: Network and Distributed Systems Security Symposium (NDSS), San Diego, California (February 2006)Google Scholar
  40. 40.
    Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  41. 41.
    Meng, J., Lu, X., Dong, G.: A novel method for secure logging system call. In: IEEE International Symposium on Communications and Information Technology, Beijing, China (October 2005)Google Scholar
  42. 42.
    Microsoft: The Microsoft Windows malicious software removal tool, revision 49.0 (July 2008), http://support.microsoft.com/?kbid=890830
  43. 43.
    Monroe, K., Bailey, D.: System baselining—a forensic perspective, verion 1.3 (September 2006), http://ftimes.sourceforge.net/Files/Papers/baselining.pdf
  44. 44.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2005)Google Scholar
  45. 45.
    OffensiveComputing: Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)
  46. 46.
    Olson, J.: NTFS: Enhance your apps with file system transactions. MSDN Magazine (July 2007), http://msdn.microsoft.com/en-us/magazine/cc163388.aspx
  47. 47.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2008)Google Scholar
  48. 48.
    Petroni, N., Walters, A., Fraser, T., Arbaugh, W.: FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation Journal 3(4) (December 2006)Google Scholar
  49. 49.
    Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)Google Scholar
  50. 50.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)Google Scholar
  51. 51.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  52. 52.
    Ruff, N.: Windows memory forensics. Journal in Computer Virology 4(2) (May 2008)Google Scholar
  53. 53.
    Schultz, J.S.: Offline Forensic Analysis Of Microsoft Windows XP Physical Memory. Master’s thesis, Naval Postgraduate School (September 2006)Google Scholar
  54. 54.
    Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. In: Digital Forensic Research Workshop, DFRWS (2006)Google Scholar
  55. 55.
    Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  56. 56.
    Srivastava, A., Giffin, J.: Automatic discovery of parasitic malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 97–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  57. 57.
    Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2011)Google Scholar
  58. 58.
    Stallard, T., Levitt, K.: Automated analysis for digital forensic science: Semantic integrity checking. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823. Springer, Heidelberg (2003)Google Scholar
  59. 59.
    Stephenson, P.: Modeling of post-incident root cause analysis. International Journal of Digital Evidence 2(2) (Fall 2003)Google Scholar
  60. 60.
    Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland (July 2007)Google Scholar
  61. 61.
    Stover, S., Dickerson, M.: Using memory dumps in digital forensics. Login 30(6) (December 2005)Google Scholar
  62. 62.
    Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)Google Scholar
  63. 63.
    Symantec: Spam from the kernel: Full-kernel malware installed by mpack, http://www.symantec.com/connect/blogs/spam-kernel-full-kernel-malware-installed-mpack (last accessed August 05, 2010)
  64. 64.
    Szor, P.: Memory scanning under NT. In: 9th International Virus Bulletin Conference, Vancouver, British Columbia (October 1999)Google Scholar
  65. 65.
    ThreatExpert: Conficker/downadup: Memory injection model, http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html (last accessed April 15, 2010)
  66. 66.
    Tripathy, S., Panda, B.: Post-intrusion recovery using data dependency approach. In: IEEE Workshop on Information Assurance and Security, West Point, New York (June 2001)Google Scholar
  67. 67.
    Urrea, J.M.: An Analysis of Linux RAM Forensics. Master’s thesis, Naval Postgraduate School (March 2006)Google Scholar
  68. 68.
    Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM Symposium on Computer and Communications Security (CCS), Chicago, Illinois (November 2009)Google Scholar
  69. 69.
    Whitaker, A., Cox, R.S., Shaw, M., Gribble, S.D.: Constructing services with interposable virtual hardware. In: Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, California (March 2004)Google Scholar
  70. 70.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy  5(2) (March 2007)Google Scholar
  71. 71.
    XenAccess Project: XenAccess Library, http://xenaccess.sourceforge.net/ (last accessed April 4, 2008)
  72. 72.
    Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: A sandbox for portable, untrusted x86 native code. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2009)Google Scholar
  73. 73.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security (CCS), Arlington, Virginia (October 2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jonathon Giffin
    • 1
  • Abhinav Srivastava
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyAtlantaUnited States

Personalised recommendations