Skip to main content
SpringerLink
Log in

Artificial Malware Immunization Based on Dynamically Assigned Sense of Self

  • Conference paper
Information Security (ISC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6531))

Included in the following conference series:

Abstract

Computer malwares (e.g., botnets, rootkits, spware) are one of the most serious threats to all computers and networks. Most malwares conduct their malicious actions via hijacking the control flow of the infected system or program. Therefore, it is critically important to protect our mission critical systems from malicious control flows.

Inspired by the self-nonself discrimination in natural immune system, this research explores a new direction in building the artificial malware immune systems. Most existing models of self of the protected program or system are passive reflection of the existing being (e.g., system call sequence) of the protected program or system. Instead of passively reflecting the existing being of the protected program, we actively assign a unique mark to the protected program or system. Such a dynamically assigned unique mark forms dynamically assigned sense of self of the protected program or system that enables us to effectively and efficiently distinguish the unmarked nonself (e.g., malware actions) from marked self with no false positive. Since our artificial malware immunization technique does not require any specific knowledge of the malwares, it can be effective against new and previously unknown malwares.

We have implemented a proof-of-concept prototype of our artificial malware immunization based on such dynamically assigned sense of self in Linux, and our automatic malware immunization tool has successfully immunized real-world, unpatched, vulnerable applications (e.g., Snort 2.6.1 with over 140,000 lines C code) against otherwise working exploits. In addition, our artificial malware immunization is effective against return-to-libc attacks and recently discovered return-oriented exploits. The overall run time performance overhead of our artificial malware immunization prototype is no more than 4%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ghttpd Daemon Buffer Overflow Vulnerability, http://www.securityfocus.com/bid/2879

  2. Snort Open Source Network Intrusion Prevention and Detection System (IDS/IPS), http://www.snort.org/

  3. Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability, http://www.securityfocus.com/bid/22616

  4. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-Flow Integrity: Principles, Implementations, and Applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), pp. 340–353. ACM, New York (November 2005)

    Google Scholar 

  5. Alexey Smirnov, T.-c.C.: DIRA: Automatic detection, identification, and repair of controlhijacking attacks. In: Proceedings of the 12th Network and Distributed System Security Symposium, NDSS 2005 (February 2005)

    Google Scholar 

  6. Barrantes, E., Ackley, D., Forrest, S., Palmer, T., Stefanovic, D., Zovi, D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 281–289. ACM, New York (October 2003)

    Chapter  Google Scholar 

  7. Barrantes, G., Ackley, D., Forrest, S., Stefanovic, D.: Randomized Instruction Set Emulation. ACM Transactions on Information Systems Security (TISSEC) 8(1), 3–40 (2005)

    Article  Google Scholar 

  8. Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006). IEEE, Los Alamitos (May 2006)

    Google Scholar 

  9. Burnet, F.M.: Self and Not-Self. Cambridge University Press, Cambridge (1969)

    Google Scholar 

  10. Castro, M., Costa, M., Harris, T.: Securing Software by Enforcing Data-Flow Integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI 2006), pp. 147–160 (November 2006)

    Google Scholar 

  11. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-Control-Data Attacks Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)

    Google Scholar 

  12. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78. USENIX (August 1998)

    Google Scholar 

  13. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (S&P 2003). IEEE, Los Alamitos (May 2003)

    Google Scholar 

  14. Forrest, S., Hofmeyr, S., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)

    Article  Google Scholar 

  15. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P 1996). IEEE, Los Alamitos (May 1996)

    Google Scholar 

  16. Frantzen, M., Shuey, M.: StackGhost: Hardware Facilitated Stack Protection. In: Proceedings of the 10th USENIX Security Symposium, pp. 55–66. USENIX (August 2001)

    Google Scholar 

  17. Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-Sensitive Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 185–206. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient Intrusion Detection using Automaton Inlining. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005). IEEE, Los Alamitos (May 2005)

    Google Scholar 

  19. Jim, T., Schlichting, R.D., Rajagopalan, M., Hiltunen, M.A.: System Call Monitoring Using Authenticated System Calls. IEEE Transactions on Dependable and Secure Computing 3(3), 216–229 (2006)

    Article  Google Scholar 

  20. Jun Xu, Z.K., Iyer, R.K.: Transparent Runtime Randomization for Security. In: Proceedings of the 22nd Symposium on Reliable and Distributed Systems (SRDS 2003). IEEE, Los Alamitos (October 2003)

    Google Scholar 

  21. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 272–280. ACM, New York (October 2003)

    Chapter  Google Scholar 

  22. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution via Program Shepherding. In: Proceedings of the 11th USENIX Security Symposium, pp. 191–206. USENIX (August 2002)

    Google Scholar 

  23. Klein, J.: Immunology: The Science of Self-Nonself Discrimination. John Wiley & Sons, New York (1982)

    Google Scholar 

  24. Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.H.: Protecting against Unexpected System Calls. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)

    Google Scholar 

  25. Nebenzahl, D., Sagiv, M., Wool, A.: Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks. IEEE Transactions on Dependable and Secure Computing (TDSC) 3(1), 78–90 (2006)

    Article  Google Scholar 

  26. Petroni, N., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2007). ACM, New York (October 2007)

    Google Scholar 

  27. Rajagopalan, M., Hiltunen, M., Jim, T., Schlichting, R.: Authenticated System Calls. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005). IEEE, Los Alamitos (June 2005)

    Google Scholar 

  28. Sandeep Bhatkar, R.S., DuVarney, D.C.: Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)

    Google Scholar 

  29. Sekar, R., Bendre, M., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001). IEEE, Los Alamitos (May 2001)

    Google Scholar 

  30. Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 15–28 (October 2003)

    Google Scholar 

  31. Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). ACM, New York (October 2007)

    Google Scholar 

  32. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001). IEEE, Los Alamitos (May 2001)

    Google Scholar 

  33. Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002). ACM, New York (October 2002)

    Google Scholar 

  34. Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet Vaccine: Black-box Exploit Detection and Signature Generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006). ACM, New York (October 2006)

    Google Scholar 

  35. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (S&P 1999), pp. 133–145. IEEE, Los Alamitos (May 1999)

    Google Scholar 

  36. Wilander, J., Kamkar, M.: A comparison of publicly available tools for dynamic buffer overflow prevention. In: Proceedings of the 10th Network and Distributed System Security Symposium, NDSS 2003 (Feburary 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, George Mason University, Fairfax, VA, 22030, USA

    Xinyuan Wang

  2. Department of Computer Science, North Carolina State University, Raleigh, NC, 27606, USA

    Xuxian Jiang

Authors
  1. Xinyuan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Security and Assurance in IT (C-SAIT), Department of Computer Science, Florida State University, 32306-4530, Tallahassee, FL, USA

    Mike Burmester

  2. Department of Computer Science, University of California, Irvine, 92697-3425, CA, USA

    Gene Tsudik

  3. Center for Cryptology and Information Security (CCIS), Department of Mathematical Sciences, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Spyros Magliveras

  4. Mathematical Sciences Department, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Ivana Ilić

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, X., Jiang, X. (2011). Artificial Malware Immunization Based on Dynamically Assigned Sense of Self. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds) Information Security. ISC 2010. Lecture Notes in Computer Science, vol 6531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18178-8_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-18178-8_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-18177-1

  • Online ISBN: 978-3-642-18178-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation