Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Systems Security

ICISS 2010: Information Systems Security pp 28–47Cite as

Attribution of Malicious Behavior

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6503))

Abstract

Internet-connected computer systems face ongoing software attacks. Existing defensive solutions, such as intrusion detection systems, rely on the ability to identify malicious software (malware) in order to prevent its installation. This approach remains imperfect, resulting in widespread, persistent malware infections, malicious execution, and transmission of undesirable Internet traffic. Over the past several years, we have begun to develop solutions that help computer systems automatically recover from unknown malicious software infections by identifying and disabling the software. Our work departs from previous malware analysis because it employs strict post-infection analysis matching real-world environments: it assumes that security monitoring does not exist during the critical malware installation time and identifies potentially malicious software infecting a system given only observations of the infected system’s execution. This paper reports on our progress attributing undesirable network behavior to malicious code and highlights upcoming research challenges we expect to face as we begin to automatically excise that code from infected systems.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ammann, P., Jajodia, S., Liu, P.: Recovery from malicious transactions. IEEE Transactions on Knowledge and Data Engineering 14(5) (September/October 2002)

    Google Scholar 

  2. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  3. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY (October 2003)

    Google Scholar 

  4. Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2005)

    Google Scholar 

  5. Brumley, D., Song, D.: Privtrans: Automatically partitioning programs for privilege separation. In: USENIX Security, San Diego, California (August 2004)

    Google Scholar 

  6. Burdach, M.: Digital forensics of the physical memory. Whitepaper, Secure Network Systems, LLC (March 2005)

    Google Scholar 

  7. Carrier, B., Grand, J.: Hardware-based memory aquisition procedure for digital investigations. Journal of Digital Investigations 1(1) (2004)

    Google Scholar 

  8. Chakrabarti, A.: An introduction to Linux kernel backdoors, http://www.infosecwriters.com/hhworld/hh9/lvtes.txt (last accessed August 05, 2010)

  9. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium, San Diego, California (August 2004)

    Google Scholar 

  10. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (October 2008)

    Google Scholar 

  11. Dolan-Gavitt, B.: The VAD tree: A process-eye view of physical memory. In: Digital Forensic Research Workshop (DFRWS), Pittsburgh, Pennsylvania (August 2007)

    Google Scholar 

  12. Dong, Y., Li, S., Mallick, A., Nakajima, J., Tian, K., Xu, X., Yang, F., Yu, W.: Extending Xen* with Intel Virtualization Technology. Intel Technology Journal 10(3) (August 2006)

    Google Scholar 

  13. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Operating Systems Design and Implementation (OSDI), Boston, Massachusetts (December 2002)

    Google Scholar 

  14. Elsaesser, C., Tanner, M.C.: Automated diagnosis for computer forensics. Tech. rep., The MITRE Corporation (September 2001)

    Google Scholar 

  15. Ford, B., Cox, R.: Vx32: Lightweight user-level sandboxing on the x86. In: USENIX Annual Technical Conference (ATC), Boston, Massachusetts (June 2008)

    Google Scholar 

  16. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, California (May 1996)

    Google Scholar 

  17. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2003)

    Google Scholar 

  18. Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)

    Google Scholar 

  19. Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS), Lihue, Hawaii (May 2003)

    Google Scholar 

  20. Garnkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: ACM Symposium on Operating Systems Principles (SOSP), Bolton Landing, New York (October 2003)

    Google Scholar 

  21. Giffin, J., Jha, S., Miller, B.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, California (August 2002)

    Google Scholar 

  22. Gladyshev, P., Patel, A.: Finite state machine approach to digital event reconstruction. Digital Investigation Journal 1(2) (May 2004)

    Google Scholar 

  23. Goel, A., Feng, W.-c., Maier, D., Feng, W.-c., Walpole, J.: Forensix: A robust, high-performance reconstruction system. In: 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Columbus, Ohio (June 2005)

    Google Scholar 

  24. Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The Taser intrusion recovery system. In: 20th ACM Symposium on Operating System Principles (SOSP), Brighton, United Kingdom (October 2005)

    Google Scholar 

  25. Grizzard, J., Levine, J., Owen, H.: Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 369–384. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  26. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: 16th USENIX Security Symposium, Boston, Massachusetts (August 2007)

    Google Scholar 

  27. Jiang, X., Buchholz, F., Walters, A., Xu, D., Wang, Y., Spafford, E.H.: Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach. IEEE Transactions on Parallel and Distributed Systems 19(7) (July 2008)

    Google Scholar 

  28. Jiang, X., Walters, A., Buchholz, F., Xu, D., Wang, Y., Spafford, E.: Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems (ICDCS), Lisboa, Portugal (July 2006)

    Google Scholar 

  29. Jiang, X., Wang, X.: Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  30. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based ‘out-of-the-box’ semantic view. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)

    Google Scholar 

  31. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: ACM Workshop on Virtual Execution Environments (VEE), Seattle, Washington (March 2008)

    Google Scholar 

  32. Kasslin, K.: Evolution of kernel-mode malware, http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_kernel_mode_malware_v2.pdf (last accessed August 05, 2010)

  33. Keromytis, A.D.: Characterizing self-healing software systems. In: 4th International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS), St. Petersburg, Russia (September 2007)

    Google Scholar 

  34. Kasslin, K.: Kernel malware: The attack from within, http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf (last accessed August 05, 2010)

  35. King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)

    Google Scholar 

  36. Kornblum, J.: Using every part of the buffalo in Windows memory analysis. Digital Investigation Journal (January 2007)

    Google Scholar 

  37. Liang, Z., Sekar, R., DuVarney, D.C.: Automatic synthesis of filters to discard buffer overflow attacks: A step towards realizing self-healing systems. In: USENIX Annual Technical Conference (ATC), Anaheim, California (April 2005)

    Google Scholar 

  38. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: USENIX Security Symposium, San Jose, California (August 2008)

    Google Scholar 

  39. Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software self-healing using collaborative application communities. In: Network and Distributed Systems Security Symposium (NDSS), San Diego, California (February 2006)

    Google Scholar 

  40. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  41. Meng, J., Lu, X., Dong, G.: A novel method for secure logging system call. In: IEEE International Symposium on Communications and Information Technology, Beijing, China (October 2005)

    Google Scholar 

  42. Microsoft: The Microsoft Windows malicious software removal tool, revision 49.0 (July 2008), http://support.microsoft.com/?kbid=890830

  43. Monroe, K., Bailey, D.: System baselining—a forensic perspective, verion 1.3 (September 2006), http://ftimes.sourceforge.net/Files/Papers/baselining.pdf

  44. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2005)

    Google Scholar 

  45. OffensiveComputing: Storm Worm Process Injection from the Windows Kernel, http://www.offensivecomputing.net/?q=node/661 (last accessed April 15, 2010)

  46. Olson, J.: NTFS: Enhance your apps with file system transactions. MSDN Magazine (July 2007), http://msdn.microsoft.com/en-us/magazine/cc163388.aspx

  47. Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2008)

    Google Scholar 

  48. Petroni, N., Walters, A., Fraser, T., Arbaugh, W.: FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation Journal 3(4) (December 2006)

    Google Scholar 

  49. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM Symposium on Computer and Communications Security (CCS), Alexandria, Virginia (November 2007)

    Google Scholar 

  50. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Internet Measurement Conference (IMC), Rio de Janeiro, Brazil (October 2006)

    Google Scholar 

  51. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  52. Ruff, N.: Windows memory forensics. Journal in Computer Virology 4(2) (May 2008)

    Google Scholar 

  53. Schultz, J.S.: Offline Forensic Analysis Of Microsoft Windows XP Physical Memory. Master’s thesis, Naval Postgraduate School (September 2006)

    Google Scholar 

  54. Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. In: Digital Forensic Research Workshop, DFRWS (2006)

    Google Scholar 

  55. Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  56. Srivastava, A., Giffin, J.: Automatic discovery of parasitic malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 97–117. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  57. Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: Network and Distributed System Security Symposium (NDSS), San Diego, California (February 2011)

    Google Scholar 

  58. Stallard, T., Levitt, K.: Automated analysis for digital forensic science: Semantic integrity checking. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823. Springer, Heidelberg (2003)

    Google Scholar 

  59. Stephenson, P.: Modeling of post-incident root cause analysis. International Journal of Digital Evidence 2(2) (Fall 2003)

    Google Scholar 

  60. Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Lucerne, Switzerland (July 2007)

    Google Scholar 

  61. Stover, S., Dickerson, M.: Using memory dumps in digital forensics. Login 30(6) (December 2005)

    Google Scholar 

  62. Swift, M.M., Bershad, B.N., Levy, H.M.: Improving the reliability of commodity operating systems. In: ACM Symposium on Operating System Principles (SOSP), Bolton Landing, New York (October 2003)

    Google Scholar 

  63. Symantec: Spam from the kernel: Full-kernel malware installed by mpack, http://www.symantec.com/connect/blogs/spam-kernel-full-kernel-malware-installed-mpack (last accessed August 05, 2010)

  64. Szor, P.: Memory scanning under NT. In: 9th International Virus Bulletin Conference, Vancouver, British Columbia (October 1999)

    Google Scholar 

  65. ThreatExpert: Conficker/downadup: Memory injection model, http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html (last accessed April 15, 2010)

  66. Tripathy, S., Panda, B.: Post-intrusion recovery using data dependency approach. In: IEEE Workshop on Information Assurance and Security, West Point, New York (June 2001)

    Google Scholar 

  67. Urrea, J.M.: An Analysis of Linux RAM Forensics. Master’s thesis, Naval Postgraduate School (March 2006)

    Google Scholar 

  68. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM Symposium on Computer and Communications Security (CCS), Chicago, Illinois (November 2009)

    Google Scholar 

  69. Whitaker, A., Cox, R.S., Shaw, M., Gribble, S.D.: Constructing services with interposable virtual hardware. In: Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, California (March 2004)

    Google Scholar 

  70. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy  5(2) (March 2007)

    Google Scholar 

  71. XenAccess Project: XenAccess Library, http://xenaccess.sourceforge.net/ (last accessed April 4, 2008)

  72. Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: A sandbox for portable, untrusted x86 native code. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2009)

    Google Scholar 

  73. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security (CCS), Arlington, Virginia (October 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, Georgia Institute of Technology, Atlanta, Georgia, United States

    Jonathon Giffin & Abhinav Srivastava

Authors
  1. Jonathon Giffin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abhinav Srivastava
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar, 382007, Gujarat, India

    Anish Mathuria

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Giffin, J., Srivastava, A. (2010). Attribution of Malicious Behavior. In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17714-9_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17713-2

  • Online ISBN: 978-3-642-17714-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation