Despite recent advances in malware defense, computer malwares (e.g., virus, worm, botnets, rootkit, spyware) continue to pose serious threats to all computers and networks. Besides being more damaging, modern malwares (e.g., blue pill, agobot) are becoming increasingly stealthy and evasive. This has made it increasingly difficult to protect our computer systems and networks from malwares and ensure the trustworthiness of our mission critical systems.
Our natural immune systems are very effective in protecting our body from intrusions by (almost endless) variations of pathogens. Our immunities depend on the ability to distinguish our own cells (i.e., "self") from all others (i.e., "non-self"). Inspired by the self-nonself discrimination in the natural immune systems, this research explores a new direction in building artificial malware immunization and malware forensics capabilities based on "another sense of self", which is essentially a unique mark to be assigned to the programs to be protected. Based on such an actively assigned "another sense of self", the "immunized" program is able to detect application level malwares effectively and efficiently. In addition, the actively assigned "another sense of self" enables new malware forensics capabilities that were not possible before. Since the artificial malware immunization technique does not require any specific knowledge of the malwares, it has the potential to be effective against new and previously unknown malwares. The new artificial malware immunization techniques and tools to be developed could automatically make many applications (e.g., Web server) immune to many malwares and thus greatly improve the trustworthiness of computer systems.
Inspired by the self-nonself discrimination in the natural immune systems, this project has explored a new direction in building artificial malware immunization and malware forensics capabilities based on dynamically assigned sense of self, which is essentially a unique mark dynamically assigned to the protected code and its data access. The unique another sense of self enables us to effectively and efficiently detect any (including the first) system call invoked by the malware, which does not have the unique dynamically assigned sense of self assigned to the immunized program. Furthermore, our artificial malware immunization is able to pinpoint the first and all the offending actions by the malware in real-time. For example, the artificial malware immunization can identify the first and all the system calls triggered by the malware in real-time. By correlating the dynamically assigned sense of self across processes and threads, we are able to pinpoint the first and all the shell commands issues by the malware that attacks the immunized application. This unique feature enables new real-time malware forensics capabilities that were not possible in the past. To enable effective malware forensics, we have investigated how to automatically recover the malware code from the memory dump upon real-time detection of the malware attack. We have developed a tool that is able to automatically and accurately pinpoint the exact start and boundary of the attack code even if it is mingled with random bytes in the memory dump. In addition, our tool can handle combination of a number of code obfuscation encodings. To the best of our knowledge, our tool is the first to be able to automatically extract the code protected by Metasploit's polymorphic xor additive feedback encoder Shikata-Ga-Nai, which dynamically modifies the instructions in the current basic block. The project has supported one PhD student conducting research on malware immunication and forensics till completion of his PhD in Computer Science. The research project has prepared one PhD student to become a researcher employed by a major industry research organization. This project has resulted 2 journal publications, 3 conference papers (one of which won best paper award) and 1 workshop paper, 1 PhD dissertation, 1 awarded US patent and 1 pending US patent, 1 evaluation license and two startup companies negotiating the license of the patented technologies developed in this research project.
