Abstract
Internet-connected computer systems face ongoing software attacks. Existing defensive solutions, such as intrusion detection systems, rely on the ability to identify malicious software (malware) in order to prevent its installation. This approach remains imperfect, resulting in widespread, persistent malware infections, malicious execution, and transmission of undesirable Internet traffic. Over the past several years, we have begun to develop solutions that help computer systems automatically recover from unknown malicious software infections by identifying and disabling the software. Our work departs from previous malware analysis because it employs strict post-infection analysis matching real-world environments: it assumes that security monitoring does not exist during the critical malware installation time and identifies potentially malicious software infecting a system given only observations of the infected system’s execution. This paper reports on our progress attributing undesirable network behavior to malicious code and highlights upcoming research challenges we expect to face as we begin to automatically excise that code from infected systems.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ammann, P., Jajodia, S., Liu, P.: Recovery from malicious transactions. IEEE Transactions on Knowledge and Data Engineering 14(5) (September/October 2002)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY (October 2003)
Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2005)
Brumley, D., Song, D.: Privtrans: Automatically partitioning programs for privilege separation. In: USENIX Security, San Diego, California (August 2004)
Burdach, M.: Digital forensics of the physical memory. Whitepaper, Secure Network Systems, LLC (March 2005)
Carrier, B., Grand, J.: Hardware-based memory aquisition procedure for digital investigations. Journal of Digital Investigations 1(1) (2004)
Chakrabarti, A.: An introduction to Linux kernel backdoors, http://www.infosecwriters.com/hhworld/hh9/lvtes.txt (last accessed August 05, 2010)
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium, San Diego, California (August 2004)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (October 2008)
Dolan-Gavitt, B.: The VAD tree: A process-eye view of physical memory. In: Digital Forensic Research Workshop (DFRWS), Pittsburgh, Pennsylvania (August 2007)
Dong, Y., Li, S., Mallick, A., Nakajima, J., Tian, K., Xu, X., Yang, F., Yu, W.: Extending Xen* with Intel Virtualization Technology. Intel Technology Journal 10(3) (August 2006)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Operating Systems Design and Implementation (OSDI), Boston, Massachusetts (December 2002)
Elsaesser, C., Tanner, M.C.: Automated diagnosis for computer forensics. Tech. rep., The MITRE Corporation (September 2001)
Ford, B., Cox, R.: Vx32: Lightweight user-level sandboxing on the x86. In: USENIX Annual Technical Conference (ATC), Boston, Massachusetts (June 2008)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, California (May 1996)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2003)
Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)
Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)
Garnkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: ACM Symposium on Operating Systems Principles (SOSP), Bolton Landing, New York (October 2003)
Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, California (August 2002)
Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation Journal 1(2) (May 2004)
Goel, A., Feng, W.-c., Maier, D., Feng, W.-c., Walpole, J.: Forensix: A robust, high-performance reconstruction system. In: 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Columbus, Ohio (June 2005)
Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The Taser intrusion recovery system. In: 20th ACM Symposium on Operating System Principles (SOSP), Brighton, United Kingdom (October 2005)
Grizzard, J., Levine, J., Owen, H.: Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 369–384. Springer, Heidelberg (2004)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: 16th USENIX Security Symposium, Boston, Massachusetts (August 2007)
Jiang, X., Buchholz, F., Walters, A., Xu, D., Wang, Y., Spafford, E.H.: Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach. IEEE Transactions on Parallel and Distributed Systems 19(7) (July 2008)
Jiang, X., Walters, A., Buchholz, F., Xu, D., Wang, Y., Spafford, E.: Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems (ICDCS), Lisboa, Portugal (July 2006)
Jiang, X., Wang, X.: Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based ‘out-of-the-box’ semantic view. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM Workshop on Virtual Execution Environments (VEE), Seattle, Washington (March 2008)
Kasslin, K.: Evolution of kernel-mode malware, http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_kernel_mode_malware_v2.pdf (last accessed August 05, 2010)
Keromytis, A.D.: Characterizing self-healing software systems. In: 4th International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS), St. Petersburg, Russia (September 2007)
Kasslin, K.: Kernel malware: The attack from within, http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf (last accessed August 05, 2010)
King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)
Kornblum, J.: Using every part of the buffalo in Windows memory analysis. Digital Investigation Journal (January 2007)
Liang, Z., Sekar, R., DuVarney, D.C.: Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems. In: USENIX Annual Technical Conference (ATC), Anaheim, California (April 2005)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, California (August 2008)
Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software self-healing using collaborative application communities. In: Network and Distributed Systems Security Symposium (NDSS), San Diego, California (February 2006)
Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)
Meng, J., Lu, X., Dong, G.: A novel method for secure logging system call. In: IEEE International Symposium on Communications and Information Technology, Beijing, China (October 2005)
Microsoft: The Microsoft Windows malicious software removal tool, revision 49.0 (July 2008), http://support.microsoft.com/?kbid=890830
Monroe, K., Bailey, D.: System baselining—a forensic perspective, verion 1.3 (September 2006), http://ftimes.sourceforge.net/Files/Papers/baselining.pdf
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2005)
OffensiveComputing: Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)
Olson, J.: NTFS: Enhance your apps with file system transactions. MSDN Magazine (July 2007), http://msdn.microsoft.com/en-us/magazine/cc163388.aspx
Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2008)
Petroni, N., Walters, A., Fraser, T., Arbaugh, W.: FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation Journal 3(4) (December 2006)
Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Ruff, N.: Windows memory forensics. Journal in Computer Virology 4(2) (May 2008)
Schultz, J.S.: Offline Forensic Analysis Of Microsoft Windows XP Physical Memory. Master’s thesis, Naval Postgraduate School (September 2006)
Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. In: Digital Forensic Research Workshop, DFRWS (2006)
Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)
Srivastava, A., Giffin, J.: Automatic discovery of parasitic malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 97–117. Springer, Heidelberg (2010)
Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2011)
Stallard, T., Levitt, K.: Automated analysis for digital forensic science: Semantic integrity checking. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823. Springer, Heidelberg (2003)
Stephenson, P.: Modeling of post-incident root cause analysis. International Journal of Digital Evidence 2(2) (Fall 2003)
Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland (July 2007)
Stover, S., Dickerson, M.: Using memory dumps in digital forensics. Login 30(6) (December 2005)
Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)
Symantec: Spam from the kernel: Full-kernel malware installed by mpack, http://www.symantec.com/connect/blogs/spam-kernel-full-kernel-malware-installed-mpack (last accessed August 05, 2010)
Szor, P.: Memory scanning under NT. In: 9th International Virus Bulletin Conference, Vancouver, British Columbia (October 1999)
ThreatExpert: Conficker/downadup: Memory injection model, http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html (last accessed April 15, 2010)
Tripathy, S., Panda, B.: Post-intrusion recovery using data dependency approach. In: IEEE Workshop on Information Assurance and Security, West Point, New York (June 2001)
Urrea, J.M.: An Analysis of Linux RAM Forensics. Master’s thesis, Naval Postgraduate School (March 2006)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM Symposium on Computer and Communications Security (CCS), Chicago, Illinois (November 2009)
Whitaker, A., Cox, R.S., Shaw, M., Gribble, S.D.: Constructing services with interposable virtual hardware. In: Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, California (March 2004)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy 5(2) (March 2007)
XenAccess Project: XenAccess Library, http://xenaccess.sourceforge.net/ (last accessed April 4, 2008)
Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: A sandbox for portable, untrusted x86 native code. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2009)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security (CCS), Arlington, Virginia (October 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giffin, J., Srivastava, A. (2010). Attribution of Malicious Behavior. In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-17714-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17713-2
Online ISBN: 978-3-642-17714-9
eBook Packages: Computer ScienceComputer Science (R0)