Presentation is loading. Please wait.

Presentation is loading. Please wait.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center."— Presentation transcript:

1 Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang (Presenter) Department of Information and Software Engineering George Mason University NICIAR Site Visit, West Lafayette, IN, July 19, 2007

2 About myself  Ph.D. Student at Purdue 08/2001–08/2006  Ph.D. Advisor: Prof. Dongyan Xu  Thesis topic:  Virtualization-based malware investigation and defense  Assistant Professor at GMU 08/2006 – present  Research Focus  Stealthy malware detection and defense, especially rootkits and botnets

3 Outline  Process Coloring project at GMU  GMU Subcontract  Evaluation Facility  Progress Status  Other related projects  Transparent and Reliable VM Monitoring (OBSERV)

4 Process Coloring project  Task I: Color Diffusion Model (Month 1 ~ 6)  Task II: Process Coloring Prototype (Month 2 ~ 18)  Task II.1: Xen-based log coloring and collection  Task II.2: Coloring-based tools for server-side malware investigation  Task II.3: Coloring-based tools for client-side malware investigation  Task III: Color Mixing Handling (Month 7 ~ 18)  Task III.1: Legitimate color diffusion identification  Task III.2: Information flow insulation  Task III.3: Information flow border control 10% 25% 20% 15% 25% GMU

5 Process Coloring project -- Evaluation Facility Malware Trap Malware Playground vGround Playground Collapsar Honeyfarm InvestigationCapture Front-end Back-end  An Integrated Malware Research Framework Collapsar: Security’04, NDSS’06, JPDC’06 vGround: RAID’05, RAID’07

6 Existing Approach: Honeypot Domain B Domain A Domain C Internet  Two Weaknesses  Manageability vs. Detection Coverage  Security Risks  On-Site Attack Occurrences

7 Collapsar Honeyfarm Domain B Domain A Domain C Front-End VM-based Honeypots Management Station Collapsar Center Correlation Engine Redirector Collapsar Honeyfarm Redirector Benefit 1: Centralized management of honeypots w/ distributed (virtual) presence Benefit 1: Centralized management of honeypots w/ distributed (virtual) presence Benefit 2: Off-site attack occurrences Benefit 2: Off-site attack occurrences Benefit 3: New possibilities for real-time attack correlation and log mining Benefit 3: New possibilities for real-time attack correlation and log mining

8 VM-based Honeypots Domain B Domain A Domain C Front-End Collapsar Center Redirector Collapsar as a Server-side Honeyfarm  Passive honeypots w/ vulnerable server-side software  Web servers (e.g., Apache, IIS, …)  Database servers (e.g., Oracle, MySQL, …) Blaster (2003)Sasser (2004)Zotob (2005)

9 Malicious Web Server VM-based Honeypots Domain B Domain A Domain C Front-End Collapsar Center Redirector Collapsar as a Client-side Honeyfarm  Active honeypots w/ vulnerable client-side software  Web browsers (e.g., IE, Firefox, …)  Email clients (e.g., Outlook, …) [ HoneyMonkey, NDSS’06] PlanetLab (310 sites) 752 malicious URLs/ 288 malicious sites/2 zero-day exploits

10 10 URL-level Topology Graph for WinXP SP1 Un-patched: 688 URLs from 270 sites Topology Graph of Malicious URLs Site nodes URLs Content Provider Exploit Provider Redirecting URL Exploiting URL

11 Process Coloring project -- Evaluation Facility Malware Trap Malware Playground vGround Playground Collapsar Honeyfarm InvestigationCapture Front-end Back-end  An Integrated Malware Research Framework Collapsar: Security’04, NDSS’06, JPDC’06 vGround: RAID’05, RAID’07

12 vGround: A Virtualization-Based Malware Playground lafayette.ise.gmu.edu  High Fidelity  VM: Full-System Virtualization  Strict Confinement  VN: Layer-2 Network Virtualization  Easy Deployment  Locally deployable  Efficient Experiments  Images generation time: 60 seconds  Boot-strap time: 90 seconds  Tear-down time: 10 seconds Virtualization In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004

13 Recent Progress We are here Identifying color diffusion operations in Linux OS Starting to implement log coloring and collection on Xen VMM Setting up the GMU subcontract

14 Outline  Process Coloring project at GMU  GMU Subcontract  Evaluation Facility  Progress Status  Other related projects  Transparent and Reliable VM Monitoring (OBSERV)

15 Why OBSERV?  Virtualization introduces strong mutual-isolation between processes “in the box” and “out of the box”  OBSERV: Out-of-Box with SEmantically Reconstructed View  Functions as a One-Way Mirror

16 OBSERV Application I: Reliable VM Monitoring “In the box” View OBSERV View

17 OBSERV Application II: Cross-View Malware Detection YYC Backdoor Hack Defender YYC Backdoor “In the box” View OBSERV View

18 OBSERV Application III: Detection & Prevention of Kernel Rootkits Adore Rootkit Adore_ng Rootkit Suckit Rootkit OBSERV View“In the box” View

19 Summary Domain B Domain A Domain C Front-End Redirector vGround II vGround I Collapsar Process Coloring Collapsar + vGround Unique virtualization-based malware research platform Collapsar + vGround Unique virtualization-based malware research platform Process Coloring Unique approach for malware investigation and defense Process Coloring Unique approach for malware investigation and defense

20 Thank you! For more information about the Process Coloring project: http://cairo.cs.purdue.edu/projects/PC PC@cs.purdue.edu

Download ppt "Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center."

Similar presentations

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar

What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.

Towards an Integrated Multimedia Service Hosting Overlay Dongyan Xu, Xuxian Jiang Department of Computer Sciences Center for Education and Research in.
Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.

Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu, Xuxian Jiang CERIAS and Department of Computer.
Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.
Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.

Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and.
VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)

VIOLIN: A Network Virtualization Middleware for Virtual Networked Computing Dongyan Xu Lab FRIENDS (For Research In Emerging Network and Distributed Services)
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

Similar presentations

Ads by Google