We introduce tBox system that enables protection from targeted and user-oriented attacks. Such attacks relay on users mistakes such as misinterpreting or ignoring security alerts, which leads to proliferation of malicious objects inside trusted perimeter of cyber-security systems (e.g. exclusion list of AV). These attacks include strategic web compromise, spear phishing, insider threat and social network malware. Moreover, targeted attacks often deliver zero-day malware that is made difficult to be detected, e.g. due to distributed malicious payload. The tBox system allows for protecting even a "bad" user who does not cooperate with security products. To accomplish this, tBox seamlessly transfers user activity with vulnerable applications into specific virtual environment that provides three key factors: user-activity isolation, behavior self-monitoring and security inheritance for user-carried objects. To provide self-monitoring, our team developed a novel technology for deep dynamic analysis of system-wide behavior, which allows for run-time recognition of malicious functionalities including obfuscated and distributed ones. We evaluate the tBox prototype with corpus of real malware families. Results show high efficiency of tBox in detecting and blocking malware while having low system overhead.
[1]
Somesh Jha,et al.
A Layered Architecture for Detecting Malicious Behaviors
,
2008,
RAID.
[2]
Fred Cohen,et al.
Computer viruses—theory and experiments
,
1990
.
[3]
Dae-Ki Kang,et al.
Learning classifiers for misuse and anomaly detection using a bag of system calls representation
,
2005,
Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.
[4]
Victor A. Skormin,et al.
Detection of Worm Propagation Engines in the System Call Domain using Colored Petri Nets
,
2008,
2008 IEEE International Performance, Computing and Communications Conference.
[5]
Kurt Jensen,et al.
Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods
,
1992
.
[6]
Christopher Krügel,et al.
Dynamic Analysis of Malicious Code
,
2006,
Journal in Computer Virology.
[7]
Kurt Jensen,et al.
Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1
,
1996
.
[8]
Massimo Bernaschi,et al.
Operating system enhancements to prevent the misuse of system calls
,
2000,
CCS.