Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Slides:

Advertisements

Similar presentations

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Advertisements

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete server protection –Spam Blocking (95+ percent) Extremely.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

Norman Endpoint Protection Advanced security made easy.

Website Hardening HUIT IT Security | Sep

Norman SecureSurf Protect your users when surfing the Internet.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Introduction to Honeypot, Botnet, and Security Measurement

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

1 Monday, June 27, 2011Copyright© 2011 Dragnet Dragnet ® Cloud Service Introduction Matthew McLeod, Managing Director

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

CERN - IT Department CH-1211 Genève 23 Switzerland t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

© 2007 The MITRE Corporation. All rights reserved OWASP Conference 06 Sep 2007 Information Assurance Using Honeyclients for Detection and Response Against.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

Honeypot and Intrusion Detection System

The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Master Thesis Defense Jan Fiedler 04/17/98

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Intel IT Overlay Jeff Sedayao PlanetLab Workshop at HPLABS May 11, 2006.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.

Malicious Software.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

About Me Name: Yaokai Feng, from Kyushu University

Eugene Spafford, Dongyan Xu, Ryan Riley

Cybersecurity Threat Assessment

Presentation transcript:

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang (Presenter) Department of Information and Software Engineering George Mason University NICIAR Site Visit, West Lafayette, IN, July 19, 2007

About myself  Ph.D. Student at Purdue 08/2001–08/2006  Ph.D. Advisor: Prof. Dongyan Xu  Thesis topic:  Virtualization-based malware investigation and defense  Assistant Professor at GMU 08/2006 – present  Research Focus  Stealthy malware detection and defense, especially rootkits and botnets

Outline  Process Coloring project at GMU  GMU Subcontract  Evaluation Facility  Progress Status  Other related projects  Transparent and Reliable VM Monitoring (OBSERV)

Process Coloring project  Task I: Color Diffusion Model (Month 1 ~ 6)  Task II: Process Coloring Prototype (Month 2 ~ 18)  Task II.1: Xen-based log coloring and collection  Task II.2: Coloring-based tools for server-side malware investigation  Task II.3: Coloring-based tools for client-side malware investigation  Task III: Color Mixing Handling (Month 7 ~ 18)  Task III.1: Legitimate color diffusion identification  Task III.2: Information flow insulation  Task III.3: Information flow border control 10% 25% 20% 15% 25% GMU

Process Coloring project -- Evaluation Facility Malware Trap Malware Playground vGround Playground Collapsar Honeyfarm InvestigationCapture Front-end Back-end  An Integrated Malware Research Framework Collapsar: Security’04, NDSS’06, JPDC’06 vGround: RAID’05, RAID’07

Existing Approach: Honeypot Domain B Domain A Domain C Internet  Two Weaknesses  Manageability vs. Detection Coverage  Security Risks  On-Site Attack Occurrences

Collapsar Honeyfarm Domain B Domain A Domain C Front-End VM-based Honeypots Management Station Collapsar Center Correlation Engine Redirector Collapsar Honeyfarm Redirector Benefit 1: Centralized management of honeypots w/ distributed (virtual) presence Benefit 1: Centralized management of honeypots w/ distributed (virtual) presence Benefit 2: Off-site attack occurrences Benefit 2: Off-site attack occurrences Benefit 3: New possibilities for real-time attack correlation and log mining Benefit 3: New possibilities for real-time attack correlation and log mining

VM-based Honeypots Domain B Domain A Domain C Front-End Collapsar Center Redirector Collapsar as a Server-side Honeyfarm  Passive honeypots w/ vulnerable server-side software  Web servers (e.g., Apache, IIS, …)  Database servers (e.g., Oracle, MySQL, …) Blaster (2003)Sasser (2004)Zotob (2005)

Malicious Web Server VM-based Honeypots Domain B Domain A Domain C Front-End Collapsar Center Redirector Collapsar as a Client-side Honeyfarm  Active honeypots w/ vulnerable client-side software  Web browsers (e.g., IE, Firefox, …)  clients (e.g., Outlook, …) [ HoneyMonkey, NDSS’06] PlanetLab (310 sites) 752 malicious URLs/ 288 malicious sites/2 zero-day exploits

10 URL-level Topology Graph for WinXP SP1 Un-patched: 688 URLs from 270 sites Topology Graph of Malicious URLs Site nodes URLs Content Provider Exploit Provider Redirecting URL Exploiting URL

Process Coloring project -- Evaluation Facility Malware Trap Malware Playground vGround Playground Collapsar Honeyfarm InvestigationCapture Front-end Back-end  An Integrated Malware Research Framework Collapsar: Security’04, NDSS’06, JPDC’06 vGround: RAID’05, RAID’07

vGround: A Virtualization-Based Malware Playground lafayette.ise.gmu.edu  High Fidelity  VM: Full-System Virtualization  Strict Confinement  VN: Layer-2 Network Virtualization  Easy Deployment  Locally deployable  Efficient Experiments  Images generation time: 60 seconds  Boot-strap time: 90 seconds  Tear-down time: 10 seconds Virtualization In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004

Recent Progress We are here Identifying color diffusion operations in Linux OS Starting to implement log coloring and collection on Xen VMM Setting up the GMU subcontract

Outline  Process Coloring project at GMU  GMU Subcontract  Evaluation Facility  Progress Status  Other related projects  Transparent and Reliable VM Monitoring (OBSERV)

Why OBSERV?  Virtualization introduces strong mutual-isolation between processes “in the box” and “out of the box”  OBSERV: Out-of-Box with SEmantically Reconstructed View  Functions as a One-Way Mirror

OBSERV Application I: Reliable VM Monitoring “In the box” View OBSERV View

OBSERV Application II: Cross-View Malware Detection YYC Backdoor Hack Defender YYC Backdoor “In the box” View OBSERV View

OBSERV Application III: Detection & Prevention of Kernel Rootkits Adore Rootkit Adore_ng Rootkit Suckit Rootkit OBSERV View“In the box” View

Summary Domain B Domain A Domain C Front-End Redirector vGround II vGround I Collapsar Process Coloring Collapsar + vGround Unique virtualization-based malware research platform Collapsar + vGround Unique virtualization-based malware research platform Process Coloring Unique approach for malware investigation and defense Process Coloring Unique approach for malware investigation and defense

Thank you! For more information about the Process Coloring project: