Automatic discovery of parasitic malware

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6307 LNCS, Issue , 2010, Pages 97-117

  Srivastava, Abhinav ^a   Giffin, Jonathon ^a  

^a Georgia Institute of Technology   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BENCHMARKING; INTRUSION DETECTION;

AUTOMATIC DISCOVERY; BENIGN PROCESS; INFECTED SYSTEMS; MALICIOUS ACTIVITIES; MALICIOUS BEHAVIOR; NETWORK LEVEL; SECURITY AND PERFORMANCE; WINDOWS SYSTEM;

MALWARE;

EID: 78249255488     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-15512-3_6     Document Type: Conference Paper

References (41)

1. Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structures invariants. In: ACSAC, Anaheim, CA (December 2008)
2. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2005)
3. Christodorescu, M., Sailer, R., Schales, D., Sgandurra, D., Zamboni, D.: Cloud security is not (just) virtualization security. In: Cloud Computing Security Workshop, Chicago, IL (November 2009)
4. Community Developers. Ebtables, http://ebtables.sourceforge.net/ (last accessed April 15, 2010)
5. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM CCS, Alexandria, VA (October 2008)
6. Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: OSDI, Boston, MA (December 2002)
7. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1996)
8. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, San Diego, CA (February 2003)
9. Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, CA (August 2002)
10. Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: NDSS, San Diego, CA (February 2004)
11. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX Security Symposium, Boston, MA (August 2007)
12. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151-180 (1998)
13. IBM. Ibm page detailer, http://www.alphaworks.ibm.com/tech/pagedetailer/ download (last accessed April 15, 2010)
14. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based 'out-of-the-box' semantic view. In: ACM CCS, Alexandria, VA (November 2007)
15. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM VEE, Seattle, WA (March 2008)
16. Kasslin, K.: Evolution of kernel-mode malware, http://igloo. engineeringforfun.com/malwares/ Kimmo-Kasslin-Evolution-of-kernel-mode-malware- v2.pdf (last accessed April 15, 2010)
17. Kephart, J., Arnold, W.: Automatic extraction of computer virus signatures. In: Virus Bulletin, Jersey, Channel Islands, UK (1994)
18. Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: ACM CCS, Fairfax, VA (November 1994)
19. King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM SOSP, Bolton Landing, NY (October 2003)
20. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, CA (August 2008)
21. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detectingmalicious behaviors. In: Lippmann, R.,Kirda, E.,Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78-97. Springer, Heidelberg (2008)
22. MSDN. Asynchronous procedure calls, http://msdn.microsoft.com/en-us/ library/ms681951VS.85.aspx (last accessed April 15, 2010)
23. OffensiveComputing. Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)
24. Passmark Software. PassMark Performance Test, http://www.passmark.com/ products/pt.htm (last accessed April 15, 2010)
25. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Usenix Security, San Antonio, TA (January 1998)
26. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)
27. Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIX Security Symposium, Vancouver, BC, Canada (August 2006)
28. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM CCS, Alexandria, VA (November 2007)
29. Richter, J.: Load your 32-bit DLL into another process's address space using injlib. Microsoft Systems Journal 9(5) (May 1994)
30. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1-20. Springer, Heidelberg (2008)
31. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of USENIX LISA, Seattle, WA (November 1999)
32. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
33. Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure in-vm monitoring using hardware virtualization. In: ACM CCS, Chicago, IL (November 2009)
34. Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Technical Report GT-CS-09-05, Georgia Institute of Technology, Atlanta, GA (2009)
35. Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39-58. Springer, Heidelberg (2008)
36. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: USENIX Security Symposium, San Francisco, CA (August 2002)
37. Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM SOSP, Bolton Landing, NY (October 2003)
38. ThreatExpert. Conficker/downadup: Memory injection model. http://blog.threatexpert.com/2009/01/ confickerdownadup-memory-injection.html (last accessed April 15, 2010)
39. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)
40. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM CCS, Chicago, IL (November 2009)
41. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy 5(2) (March 2007) (Pubitemid 46527386)