Download presentation
Presentation is loading. Please wait.
1
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Information and Software Engineering George Mason University NICECAP Kickoff Meeting, Chantilly, VA
2
Motivation Internet malware remains a top threat Malware: virus, worms, rootkits, spyware, botware…
3
Malware Investigation Tasks Raising timely alert to trigger a malware investigation Identifying the break-in point of the malware Reconstructing all contaminations by the malware Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools (e.g., BackTracker, Taser) Log
4
Limitations of Existing Tools Long “infection-to-detection” interval Entire log needed for both trace-back and reconstruction Questionable trustworthiness of log data Time External detection point Infection Break-in point trace-back Contamination reconstruction Break-in point Log Detection Existing log-based intrusion investigation tools Log
5
Our Approach - Process Coloring Key idea: propagating malware break-in provenance information (“colors”) along OS-level information flows Existing tools only consider direct causality relations without preserving and exploiting break-in provenance information Runtime alert triggered by log color anomalies Apache SendmailDNSMySQL Logger Guest OS Virtual Machine Monitor (VMM) Log Monitor Virtual Machine Attacker … Log
6
New Capabilities of Process Coloring Color-based runtime alert (vs. external detection point) Color-based break-in point identification (vs. back-tracking) Color-based log partitioning (vs. entire log) for reconstruction Time Infection Break-in point Detection Contamination reconstruction
7
Evaluation Plan Front-endBack-end vGround Playground Collapsar Honeyfarm ObservationCapture Success metrics: Timeliness (shorter “infection- to-detection” interval) Efficiency (smaller input size for contamination reconstruction) Accuracy (correct, complete account of attack) A virtualization-based malware experiment platform A real-world virtualization-based cyberinfrastructure: nanoHUB http://www.nanohub.org Contact: PC@cs.purdue.edu
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.