Enabling internet worms and malware investigation and defense using virtualization

Internet worms and malware remain a threat to the Internet, as demonstrated by a number of large-scale Internet worm outbreaks, such as the MSBlast worm in 2003 and the Sasser worm in 2004. Moreover, every new wave of outbreak reveals the rapid evolution of Internet worms and malware in terms of infection speed, virulence, and sophistication. Unfortunately, our capability to investigate and defend against Internet worms and malware has not seen the same pace of advancement. In this dissertation, we present an integrated, virtualization-based framework for malware capture, investigation and defense. This integrated framework consists of a front-end and a back-end. The front-end is a virtualization-based honeyfarm architecture, called Collapsar, to attract and capture real-world malware instances from the Internet. Collapsar is the first honeyfarm that virtualizes full systems and enables centralized management of honeypots while preserving their distributed presence. The back-end is a virtual malware "playground," called vGround, to perform destruction-oriented experiments with captured malware or worms, which were previously expensive, inefficient, or even impossible to conduct. On top of the integrated framework, we have developed a number of defense mechanisms from various perspectives. More specifically, based on the unique infection behavior of each worm we run in vGround, we define a behavioral footprinting model for worm profiling and identification, which complements the state-of-the-art content-based signature approach. We also develop a provenance-aware logging mechanism, called process coloring, that achieves higher efficiency and accuracy than existing systems in revealing malware break-ins and contaminations.

[1]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[2]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[3]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[4]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[5]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[6]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[7]  Eugene H. Spafford,et al.  Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection , 1994 .

[8]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[9]  Joseph D. Touch Dynamic Internet overlay deployment and management using the X-Bone , 2001, Comput. Networks.

[10]  Peter Szor,et al.  Fighting Computer Virus Attacks , 2004, USENIX Security Symposium.

[11]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[12]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[13]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[14]  Xuxian Jiang,et al.  SODA: a service-on-demand architecture for application service hosting utility platforms , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[15]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[16]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[17]  Xuxian Jiang,et al.  VIOLIN: Virtual Internetworking on Overlay Infrastructure , 2004, ISPA.

[18]  W. Nyhan,et al.  Behavioral Phenotypes in Organic Genetic Disease: Presidential Address to the Society for Pediatric Research, May 1, 1971 , 1972, Pediatric Research.

[19]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[20]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[21]  Dino Farinacci,et al.  Generic Routing Encapsulation over IPv4 networks , 1994, RFC.

[22]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[23]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[24]  Peter A. Dinda,et al.  Towards Virtual Networks for Virtual Machine Grid Computing , 2004, Virtual Machine Research and Technology Symposium.

[25]  Daniel M. Roy,et al.  A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors) , 2004, 20th Annual Computer Security Applications Conference.

[26]  Eric Alata,et al.  CADHo: Collection and Analysis of Data from Honeypots , 2005 .

[27]  Xuxian Jiang,et al.  vBET: a VM-based emulation testbed , 2003, MoMeTools '03.

[28]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[29]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[30]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[31]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[32]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[33]  Xuxian Jiang,et al.  Protection mechanisms for application service hosting platforms , 2004, IEEE International Symposium on Cluster Computing and the Grid, 2004. CCGrid 2004..

[34]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[35]  Steven D. Gribble,et al.  Configuration Debugging as Search: Finding the Needle in the Haystack , 2004, OSDI.

[36]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[37]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[38]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[39]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[40]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[41]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[42]  Srikanth Sundaragopalan,et al.  High-fidelity modeling of computer network worms , 2004, 20th Annual Computer Security Applications Conference.

[43]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[44]  Xuxian Jiang,et al.  Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[45]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[46]  Zhenkai Liang,et al.  Isolated program execution: an application transparent approach for executing untrusted programs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[47]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[48]  Robert E. Strom,et al.  Optimistic recovery in distributed systems , 1985, TOCS.

[49]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[50]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[51]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[52]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[53]  Svetlana Radosavac Detection and Classification of Network Intrusions Using Hidden Markov Models , 2003 .

[54]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[55]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[56]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[57]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[58]  A. Prasad Sistla,et al.  Efficient distributed recovery using message logging , 1989, PODC '89.

[59]  Henry L. Owen,et al.  Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table , 2004, ESORICS.

[60]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[61]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[62]  Steven D. Gribble,et al.  Using time travel to diagnose computer problems , 2004, EW 11.

[63]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[64]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[65]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[66]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[67]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[68]  Renato J. O. Figueiredo,et al.  Guest Editors' Introduction: Resource Virtualization Renaissance , 2005, Computer.

[69]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[70]  Xuxian Jiang,et al.  Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention , 2006, J. Parallel Distributed Comput..

[71]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[72]  Leonard J. LaPadula,et al.  MITRE technical report 2547, volume II , 1996 .

[73]  Xuxian Jiang,et al.  Behavioral Footprinting: A New Dimension to Characterize Self-Propagating Worms , 2005 .

[74]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[75]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[76]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[77]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[78]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[79]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[80]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[81]  Durbin,et al.  Biological Sequence Analysis , 1998 .

[82]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[83]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[84]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[85]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[86]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[87]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[88]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[89]  N. Fox,et al.  UML extensions for honeypots in the ISTS Distributed Honeypot Project , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..