Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Slides:

Advertisements

Similar presentations

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Call Center Call Center on a Stick Ceedo for Call Center Presentation.

Advertisements

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Private Cloud or Dedicated Hosts Mason Mabardy & Matt Maples.

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Graduate Programs in Computer Science Design of cyber security awareness game utilizing a social media framework WA Labuschagne.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Cloud Computing Cloud Security– an overview Keke Chen.

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

PRESIDIO.COM MARCH  Presidio Overview  What’s New in VDP and VDPA  VDPA Features  Backup and Restore Job Creation  Q&A.

H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.

Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing.

From Virtualization Management to Private Cloud with SCVMM 2012 Dan Stolts Sr. IT Pro Evangelist Microsoft Corporation

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Database Architectures Database System Architectures Considerations – Data storage: Where do the data and DBMS reside? – Processing: Where.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.

Chapter 2 Securing Network Server and User Workstations.

Microsoft Azure Active Directory. AD Microsoft Azure Active Directory.

Integrity Through Mediated Interfaces Bob Balzer Information Sciences Institute

Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID

DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.

Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.

Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Michael Ernst, page 1 Application Communities: Next steps MIT & Determina October 2006.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Michael Mast Senior Architect Applications Technology Oracle Corporation.

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Fermilab Scientific Computing Division Fermi National Accelerator Laboratory, Batavia, Illinois, USA. Off-the-Shelf Hardware and Software DAQ Performance.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY

NICIAR Local Site Visit

Cloud Security– an overview Keke Chen

Eugene Spafford, Dongyan Xu, Ryan Riley

Active Server Pages Computer Science 40S.

Real-time protection for web sites and web apps against ATTACKS

DEVOPS Diagram Template

By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union

Skyhigh Enables Enterprises to Use Productivity Tools of Microsoft Office 365 While Meeting Their Security, Compliance & Governance Requirements Partner.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Process Coloring and DDFA Integration

Data Security for Microsoft Azure

The University of Adelaide, School of Computer Science

IBM Containers Docker in the Cloud

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Presentation transcript:

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science North Carolina State University NICIAR PI Meeting, Washington, DC, September 24, 2008

 One-sentence summary: Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection Process Coloring (PC) Overview

httpd s80httpdrcinit s45named s30sendmail s55sshd s80httpd s30sendmail s45named s55sshd /bin/sh wget Rootkit Local files netcat /etc/shadow Confidential Info /etc/shadow Confidential Info Initial coloring Coloring diffusion Syscall Log Capability 3: Color-based log partition for contamination analysis Capability 3: Color-based log partition for contamination analysis PC Usage Scenario: Server-Side Malware Attack Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 2: Color-based identification of malware break-in point Capability 2: Color-based identification of malware break-in point Demo at:

firefox notepad turbotax warcraft Web Browser Tax Editor Games Agobot Tax files PC Usage Scenario: Client-Side Malware Attack Agobot PC malware alert “Web browser and tax colors should never mix” PC malware alert “Web browser and tax colors should never mix” Demo at:

Heilmeier Question 1: What are you trying to do?  Tracking and logging OS-level information flows  Being extended to both OS and language levels (“PC+DDFA”)  Tainting processes and data with provenance information (“colors”) for  Detecting and investigating malware activities  Enforcing sensitive data protection policies  Using virtualization for stronger tamper-resistance

Heilmeier Question 2: How is it done now?  Information flow tracking at multiple levels  OS level  Only considering direct causality in each system call  No provenance (“color”) tainting and propagation  Language level  Only tracking information Flow within a program  No information flow tracking across programs  Instruction level  Difficult to understand attack semantics  Significant runtime performance overhead

Heilmeier Question 3: What’s new and why will it succeed?  What’s new?  Color-based malware alert and sensitive data protection  Supporting on-line detection and off-line forensics  One of the first to combine OS and language-level information flows  Why will it succeed?  Practical, deployable system based on classic theory  Running prototype showing effectiveness and practicality  Attracting external interests (SwRI, Lockheed Martin)

Heilmeier Question 4: If successful, what difference will it make?  A system-level framework for attack/violation detection, investigation and recovery  Specification and enforcement of color-based policies for malware alert and data protection  Ready for virtualization-based infrastructures (e.g. honeynets, enterprises and data centers)

 Timeline Heilmeier Question 5: Your timeline, cost and success metrics? 6/200712/076/0812/08 - Basic PC prototype for server-side operation - PC prototype for client- side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - PC prototype for client- side operation (“brown problem” solution) - Set up “living lab” VM for evaluation - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration - Extensive evaluation - Design, prototyping and demonstration of “PC+DDFA” integration - Recovery and replay - PC across machines - Data lifetime analysis for data theft defense - Recovery and replay - PC across machines - Data lifetime analysis for data theft defense

Summary of Achievement (Since April)  Improved sink insulation implementation  Cleaned up log management and visualization  Set up “living lab” client VM for evaluation  Performed benchmark evaluation of PC  Started technology transfer activities  Completed preliminary design and prototype for “PC+DDFA”  Joint presentation in a moment

“Living Lab” VM: End User’s View

“Living Lab” VM: Administrator’s View

Evaluation Metrics – Efficiency

Evaluation with Malware (Agobot, PUD bot…)

APPROACH Track OS-level information flows Taint processes/data based on their influence between each other Record color(s) in log entries Integrate with intra-process DDFA PLAN / PROGRESS Model process color diffusion in real OS (done) Demonstrate PC prototype in a malware scenario  Includes both server (done) and client (done) side solutions Mitigate color saturation effect in malware alert  Profiling and visualization (done)  Reducing false positives caused by legitimate color mixing (done)  Proof-of-concept demo of “PC+DDFA” (Dec.08) Evaluate PC in “living lab” VMs (July.08 – Dec.08) Process Coloring (PC) For Malware Alert and Investigation - An OS-level Information Flow Preserving Approach LSSD NEW CAPABILITIES Color-based malware alert Color-based malware break-in point identification Color-based log partitioning APPLICATIONS System monitoring and malware (e.g. bots) detection Malware forensics Sensitive data protection

Thank you! For more information about the Process Coloring project: