Enabling internet worms and malware investigation and defense using virtualization
作者: Dongyan Xu , Xuxian Jiang
DOI:
关键词:
摘要: Internet worms and malware remain a threat to the Internet, as demonstrated by number of large-scale worm outbreaks, such MSBlast in 2003 Sasser 2004. Moreover, every new wave outbreak reveals rapid evolution terms infection speed, virulence, sophistication. Unfortunately, our capability investigate defend against has not seen same pace advancement. In this dissertation, we present an integrated, virtualization-based framework for capture, investigation defense. This integrated consists front-end back-end. The is honeyfarm architecture, called Collapsar, attract capture real-world instances from Internet. Collapsar first that virtualizes full systems enables centralized management honeypots while preserving their distributed presence. back-end virtual "playground," vGround, perform destruction-oriented experiments with captured or worms, which were previously expensive, inefficient, even impossible conduct. On top framework, have developed defense mechanisms various perspectives. More specifically, based on unique behavior each run define behavioral footprinting model profiling identification, complements state-of-the-art content-based signature approach. We also develop provenance-aware logging mechanism, process coloring, achieves higher efficiency accuracy than existing revealing break-ins contaminations.
参考文章(91)
Dominic G. Lucchetti, Peter M. Chen, Zhuoqing Morley Mao, Samuel T. King, Enriching Intrusion Alerts Through Multi-Host Causality. network and distributed system security symposium. ,(2005)
Peter Szor, Fighting Computer Virus Attacks usenix security symposium. ,(2004)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Vern Paxson, Yin Zhang, Detecting stepping stones usenix security symposium. pp. 13- 13 ,(2000)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Leonard J. LaPadula, D. Elliott Bell, MITRE technical report 2547, volume II Journal of Computer Security. ,vol. 4, pp. 239- 263 ,(1996) , 10.3233/JCS-1996-42-308
Xuxian Jiang, Dongyan Xu, Collapsar: a VM-based architecture for network attack detention center usenix security symposium. pp. 2- 2 ,(2004)
Steven D. Gribble, Andrew Whitaker, Richard S. Cox, Configuration debugging as search: finding the needle in the haystack operating systems design and implementation. pp. 6- 6 ,(2004)
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
George W. Dunlap, Peter M. Chen, Samuel T. King, Debugging operating systems with time-traveling virtual machines usenix annual technical conference. pp. 1- 1 ,(2005)