Detecting infection onset with behavior-based policies

Proceedings - 2011 5th International Conference on Network and System Security, NSS 2011

Volumn , Issue , 2011, Pages 57-64

  Xu, Kui ^a   Yao, Danfeng ^a   Ma, Qiang ^a   Crowell, Alexander ^a  

^a VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BEHAVIOR-BASED; EXPERIMENTAL EVALUATION; FALSE ALARMS; FALSE POSITIVE RATES; HOST-BASED; MALICIOUS CODES; MALWARES; NETWORKED APPLICATIONS; PROCESS EXECUTION; REAL-TIME PROTECTION; SYSTEM RESOURCES; USER ACTION; USER STUDY;

NETWORK SECURITY; PERSONAL COMPUTERS; SOFTWARE DESIGN;

COMPUTER CRIME;

EID: 81055138290     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICNSS.2011.6059960     Document Type: Article

References (39)

1. G. K. Baah, A. Podgurski, and M. J. Harrold. The probabilistic program dependence graph and its application to fault diagnosis. In Proceedings of the 2008 international symposium on Software testing and analysis, ISSTA'08, pages 189-200, New York, NY, USA, 2008. ACM.
2. A. Baliga, L. Iftode, and X. Chen. Automated containment of rootkits attacks. Computers & Security, 27(7-8):323-334, 2008.
3. E. Chien. The new generation of targeted attacks, 2010. Keynote in Recent Advances in Intrusion Detection (RAID).
4. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of driveby-download attacks and malicious javascript code. In Proceedings of 19th International World Wide Web Conference, 2010.
5. M. Cruz. Most abused infection vector, 2008. Trend Micro. http://blog. trendmicro.com/most-abused-infection-vector/.
6. M. Egele, E. Kirda, and C. Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In Proceedings of the Open Research Problems in Network Security (iNetSec), pages 52-62, 2009.
7. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the Sixth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.
8. D. A. Freedman. Statistical Models and Causal Inference: A Dialogue with the Social Sciences. Cambirdge University Press, 2010.
9. C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, May 2008.
10. T. Jaeger, J. Liedtke, and N. Islam. Operating system protection for fine-grained programs. In Proceedings of the 7th USENIX Security Symposium proceedings, 1998.
11. T. Jaeger, A. D. Rubin, and A. Prakash. Building systems that flexibly control downloaded executable content. In Proceedings of the 6th USENIX Security Symposium, July 1996.
12. Z. Liang, W. Sun, V. N. Venkatakrishnan, and R. Sekar. Alcatraz: An isolated environment for experimenting with untrusted software. ACM Trans. Inf. Syst. Secur., 12:14:1-14:37, January 2009.
13. P. Likarish, E. E. Jung, and I. Jo. Obfuscated malicious javascript detection using classification techniques. In Proceedings of 4th International Conference on Malicious and Unwanted Software, 2009.
14. M. T. Louw, J. S. Lim, and V. N. Venkatakrishnan. Enhancing web browser security against malware extensions. Journal in Computer Virology, 4(3):179-195, 2008.
15. L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of 17th ACM Conference on Computer and Communications Security, 2010.
16. www.malwaredomainlist.com.
17. www.malwareurl.com.
18. J. A. Morales, E. J. Kartaltepe, S. Xu, and R. S. Sandhu. Symptomsbased detection of bot processes. In I. V. Kotenko and V. A. Skormin, editors, MMM-ACNS, volume 6258 of Lecture Notes in Computer Science, pages 229-241. Springer, 2010.
19. A. Moshchuk, T. Bragin, and D. Deville. SpyProxy: Execution-based detection of malicious web content. In Proceedings of the 16th USENIX Security Symposium, 2007.
20. Microsoft high-risk extensions. http://support.microsoft.com/kb/883260.
21. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, 2007. USENIX Associa-tion
22. Apple QuickTime 7.3 RTSP Response Exploit, CVE-2007-6166, http://securityevaluators.com/content/case-studies/sl/.
23. K. Rieck, T. Krueger, and A. Dewald. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC'10, pages 31-39, New York, NY, USA, 2010. ACM.
24. K. Rieck, G. Schwenk, T. Limmer, T. Holz, and P. Laskov. Botzilla: detecting the "phoning home" of malicious software. In Proceedings of the 2010 ACM Symposium on Applied Computing, SAC'10, pages 1978-1984, New York, NY, USA, 2010. ACM.
25. J. Shirley and D. Evans. The user is not the enemy: Fighting malware by tracking user intentions. In Proceedings of New Security Paradigms Workshop (NSPW), pages 22-25, September 2008.
26. skape. Understanding windows shellcode. http://www.nologin.org/Downloads/ Papers/win32-shellcode.pdf, 2003.
27. skape. Metasploit's meterpreter. http://www.nologin.org/Downloads/Papers/ meterpreter.pdf, 2004.
28. Skape and J. Turkulainen. Remote library injection. http://www.nologin. org/Downloads/Papers/remote-library-injection.pdf, 2004.
29. C. Song, J. Zhuge, X. Han, and Z. Ye. Preventing drive-by download via inter-module communication monitoring. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2010.
30. E. H. Spafford and G. Kim. The design and implementation of tripwire: A file system integrity checker. In 2nd ACM Conf. on Computer and Communication Security (CCS), 1994.
31. A. Stamminger, C. Kruegel, G. Vigna, and E. Kirda. Automated spyware collection and analysis. In P. Samarati, M. Yung, F. Martinelli, and C. A. Ardagna, editors, ISC, volume 5735 of Lecture Notes in Computer Science, pages 202-217. Springer, 2009.
32. D. Stefan, C. Wu, D. Yao, and G. Xu. Cryptographic provenance verification for the integrity of keystrokes and outbound network traffic. In Proceedings of the 8th International Conference on Applied Cryptography and Network Security (ACNS), June 2010.
33. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. A. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors, ACM Conference on Computer and Communications Security, pages 635-647. ACM, 2009.
34. W. Sun, R. Sekar, Z. Liang, and V. N. Venkatakrishnan. Expanding malware defense by securing software installations. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 164-185, Berlin, Heidelberg, 2008. Springer-Verlag.
35. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in MashupOS. In ACM Symposium on Operating Systems Principle (SOSP), pages 1-16. ACM Press, 2007.
36. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the 18th Usenix Security Symposium, August 2009.
37. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated web patrol with Strider HoneyMonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS), 2006.
38. H. Xiong, P. Malhotra, D. Stefan, C. Wu, and D. Yao. User-assisted host-based detection of outbound malware traffic. In Proceedings of International Conference on Information and Communications Security (ICICS), December 2009.
39. S. Zarandioon, D. Yao, and V. Ganapathy. OMOS: A framework for secure communication in mashup applications. In ACSAC'08: Proceedings of the 24th Annual Computer Security Applications Conference, pages 355-364, December 2008.