This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).
Internet-connected computer systems face ongoing software attacks. Existing defensive solutions, such as intrusion detection systems, rely on the ability to identify malicious software (malware) in order to prevent its installation. This approach remains imperfect, resulting in widespread, persistent malware infections, malicious execution, and transmission of undesirable Internet traffic. This project develops solutions that help computer systems automatically recover from unknown malicious software infections by identifying and disabling the software. It departs from previous malware analysis because it employs strict post-infection analysis matching real-world environments: it assumes that security monitoring does not exist during the critical malware installation time and develops hypotheses of the malware's design and system alterations given only observations of the infected system's execution. It designs on-line forensic analysis techniques that hoist an infected system into a virtual machine for runtime execution monitoring.
This project investigates three primary areas: (1) Analysis and interpretation of unknown malicious software behavior when no clean reference system is available for comparison. (2) Correlation of undesirable network activity with malicious software components responsible for that activity. Attack recovery, or remediation, reclaims the infected system for legitimate use by disabling these components. (3) Inference of unobserved malicious software installation steps, enabling protection against reinfection. This project offers hands-on student training in binary code analysis, appropriate responses to successful attack, and the role of virtual machines in secure system design. By helping users and organizations recover from widespread infections, it offers practical value to system and network operators.
