Storytelling Security: User-Intention Based Traffic Sanitization

Malicious software (malware) with decentralized communication infrastructure, such as peer-to-peer botnets, is difficult to detect. In this paper, we describe a traffic-sanitization method for identifying malware-triggered outbound connections from a personal computer. Our solution correlates user activities with the content of outbound traffic. Our key observation is that user-initiated outbound traffic typically has corresponding human inputs, i.e., keystroke or mouse clicks. Our analysis on the causal relations between user inputs and packet payload enables the efficient enforcement of the inter-packet dependency at the application level. We formalize our approach within the framework of protocol-state machine. We define new application-level traffic-sanitization policies that enforce the inter-packet dependencies. The dependency is derived from the transitions among protocol states that involve both user actions and network events. We refer to our methodology as storytelling security. We demonstrate a concrete realization of our methodology in the context of peer-to-peer file-sharing application, describe its use in blocking traffic of P2P bots on a host. We implement and evaluate our prototype in Windows operating system in both online and offline deployment settings. Our experimental evaluation along with case studies of real-world P2P applications demonstrates the feasibility of verifying the inter-packet dependencies. Our deep packet inspection incurs overhead on the outbound network flow. Our solution can also be used as an offline collect-and-analyze tool

Identifying Native Applications with High Assurance

The work described in this paper investigates the problem of identifying and deterring stealthy malicious processes on a host. We point out the lack of strong application iden- tication in main stream operating systems. We solve the application identication problem by proposing a novel iden- tication model in which user-level applications are required to present identication proofs at run time to be authenti- cated by the kernel using an embedded secret key. The se- cret key of an application is registered with a trusted kernel using a key registrar and is used to uniquely authenticate and authorize the application. We present a protocol for secure authentication of applications. Additionally, we de- velop a system call monitoring architecture that uses our model to verify the identity of applications when making critical system calls. Our system call monitoring can be integrated with existing policy specication frameworks to enforce application-level access rights. We implement and evaluate a prototype of our monitoring architecture in Linux as device drivers with nearly no modication of the ker- nel. The results from our extensive performance evaluation shows that our prototype incurs low overhead, indicating the feasibility of our model

Studying a Virtual Testbed for Unverified Data

It is difficult to fully know the effects a piece of software will have on your computer, particularly when the software is distributed by an unknown source. The research in this paper focuses on malware detection, virtualization, and sandbox/honeypot techniques with the goal of improving the security of installing useful, but unverifiable, software. With a combination of these techniques, it should be possible to install software in an environment where it cannot harm a machine, but can be tested to determine its safety. Testing for malware, performance, network connectivity, memory usage, and interoperability can be accomplished without allowing the program to access the base operating system of a machine. After the full effects of the software are understood and it is determined to be safe, it could then be run from, and given access to, the base operating system. This thesis investigates the feasibility of creating a system to verify the security of unknown software while ensuring it will have no negative impact on the host machine

BitVisorのためのOSの状態復元機能

マルウェアによる脅威が多く発見されており，それに対する対抗策として，アンチウイルスソフトウェア等のセキュリティシステムによって OS のセキュリティを高める手法が一般的となっている．しかし，セキュリティシステム自体を無効化するマルウェアも存在し，OS 上での対策は限界がある．この問題を解決方法として，仮想マシンモニタ (VMM) を用いてセキュリティ処理を施す方法が存在する．VMM を用いてセキュリティ処理を施す方法では，仮想マシン (VM) 上で OS を動かし，VMM層で OS の挙動を解析して OS のセキュリティを高める．この方法を用いたシステムは，元々は OSのセキュリティを高めるために作られた一般ユーザが対象のシステムであったが，VM 上でマルウェアと思われるプログラムを実際に動かし，その挙動を監視する VM 上でのマルウェアの動的解析に使用するというマルウェア解析者が対象のシステムにも応用でき，研究されている．マルウェアの動的解析に利用する場合，実環境とはかけ離れた環境の場合に動作を止めるマルウェアも存在するため，マルウェアの動的解析に用いる VMM はより実環境に近い環境であることが望ましい．より実環境に近い環境を提供する VMMとしては，BitVisor がある．BitVisor は実環境に近い環境を提供しつつ，デバイスへの I/O を監視できる機能をもつ．しかし，BitVisor はマルウェアの動的解析をするのに相応しい環境を提供しているが，マルウェアによって壊された環境を元の状態に戻す機能は提供していない．そこで本研究では，BitVisor に対して OS の状態をチェックポイントとして保存，復元できる機能を提案する．チェックポイントとして保存，復元するものはディスク内にあるデータであるディスクデータとメモリ上にあるデータであるメモリデータである．また，OS の状態の保存，復元の適切なタイミングは，使用するユーザが一番知っていると考え，OS の状態の保存，復元のトリガーは，任意のタイミングで OS のユーザレベルから引くことができるといった手法を用いる．我々はこの機能を BitVisor に実装してベンチマークによる実行時間のオーバヘッドを測定，評価し，提案システム導入後のオーバヘッドが実用に耐えられるレベルであることを確認した．電気通信大学201

Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services

To prevent attacks on essential software and to mitigate damage, an attack avoiding method that complicates process identification from attackers is proposed. This method complicates the identification of essential services by replacing process information with dummy information. However, this method allows attackers to identify essential processes by detecting changes in process information. To address this problems and provide more complexity to process identification, this paper proposes a memory access monitoring by using a virtual machine monitor. By manipulating the page access permission, a virtual machine monitor detects page access, which includes process information, and replaces it with dummy information. This paper presents the design, implementation, and evaluation of the proposed method

Intrusion Detection Systems in Cloud Computing: A Contemporary Review of Techniques and Solutions

Rapid growth of resources and escalating cost of infrastructure is leading organizations to adopt cloud computing. Cloud computing provides high performance, efficient utilization, and on-demand availability of resources. However, the cloud environment is vulnerable to different kinds of intrusion attacks which involve installing malicious software and creating backdoors. In a cloud environment, where businesses have hosted important and critical data, the security of underlying technologies becomes crucial. To mitigate the threat to cloud environments, Intrusion Detection Systems (IDS) are a layer of defense. The aim of this survey paper is to review IDS techniques proposed for the cloud. To achieve this objective, the first step is defining the limitations and unique characteristics of each technique. The second step is establishing the criteria to evaluate IDS architectures. In this paper, the criteria used is derived from basic characteristics of cloud. Next step is a comparative analysis of various existing intrusion detection techniques against the criteria. The last step is on the discussion of drawbacks and open issues, comprehended from the evaluation, due to which implementation of IDS in cloud environment face hurdles