Enabling Internet worms and malware investigation and defense using virtualization
Abstract
Internet worms and malware remain a threat to the Internet, as demonstrated by a number of large-scale Internet worm outbreaks, such as the MSBlast worm in 2003 and the Sasser worm in 2004. Moreover, every new wave of outbreak reveals the rapid evolution of Internet worms and malware in terms of infection speed, virulence, and sophistication. Unfortunately, our capability to investigate and defend against Internet worms and malware has not seen the same pace of advancement. In this dissertation, we present an integrated, virtualization-based framework for malware capture, investigation and defense. This integrated framework consists of a front-end and a back-end. The front-end is a virtualization-based honeyfarm architecture, called Collapsar, to attract and capture real-world malware instances from the Internet. Collapsar is the first honeyfarm that virtualizes full systems and enables centralized management of honeypots while preserving their distributed presence. The back-end is a virtual malware "playground," called vGround, to perform destruction-oriented experiments with captured malware or worms, which were previously expensive, inefficient, or even impossible to conduct. On top of the integrated framework, we have developed a number of defense mechanisms from various perspectives. More specifically, based on the unique infection behavior of each worm we run in vGround, we define a behavioral footprinting model for worm profiling and identification, which complements the state-of-the-art content-based signature approach. We also develop a provenance-aware logging mechanism, called process coloring, that achieves higher efficiency and accuracy than existing systems in revealing malware break-ins and contaminations.
Degree
Ph.D.
Advisors
Xu, Purdue University.
Subject Area
Computer science
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.