CT-T: The Detection and Prevention of Spyware

CT-T：间谍软件的检测和预防

• 批准号: 0627367
• 负责人: Steven Gribble
• 金额: $ 95万
• 依托单位: University of Washington
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627367&HistoricalAwards=false
• 关键词: CT; Detection; Prevention; Spyware

Steve GribbleUniversity of Washington0626367Panel: P060975The detection and prevention of spywareThis project is building a foundation for understanding spyware, andis advancing the state of the art in detecting and preventing spywareinfections. Our research consists of four broad activities:Measurement: Using a combination of passive network monitoringand active Web crawling, we are gathering quantitative evidenceabout the nature of spyware and its lifecycle.Early detection: We are exploring schemes to detect new spywarethreats before they have had the opportunity to cause widespreadinfection. For example, we are developing techniques for examiningsoftware found while Web crawling to automatically identify"spyware-like" behavior, or to statically analyze software to look forcode fragments in common with previously detected spyware.Prevention: To prevent spyware from reaching a computer, we areaugmenting firewall and proxy systems to detect and block spywarebefore it reaches its victims. As well, to prevent new code fromgaining a foothold on a PC, we are exploring ways of "locking down"what code is permitted to execute.Infrastructure development: To conduct our research, we are developingnew spyware testing infrastructure and workload repositories; our virtual"spyware laboratory" uses clusters and virtual machine monitors toenable high-throughput, scalable sandboxing and observation ofmalicious code. As well, we are amassing a large collection ofknown spyware programs to enable additional analysis.

Steve Gribble华盛顿大学0626367小组：P060975间谍软件的检测和预防该项目正在为理解间谍软件奠定基础，并正在推进检测和预防间谍软件感染的最先进技术。 我们的研究包括四项广泛的活动： 测量：结合使用被动网络监控和主动网络爬行，我们正在收集有关间谍软件性质及其生命周期的定量证据。 早期检测：我们正在探索在新间谍软件威胁出现之前检测到它们的方案。造成广泛感染的机会。 例如，我们正在开发用于检查在网络爬行时发现的软件的技术，以自动识别“类似间谍软件”的行为，或者静态分析软件以查找与先前检测到的间谍软件相同的代码片段。 预防：为了防止间谍软件到达计算机，我们增强防火墙和代理系统，以便在间谍软件到达受害者之前检测并阻止它。 此外，为了防止新代码在 PC 上站稳脚跟，我们正在探索“锁定”允许执行的代码的方法。 基础设施开发：为了进行我们的研究，我们正在开发新的间谍软件测试基础设施和工作负载存储库；我们的虚拟“间谍软件实验室”使用集群和虚拟机监视器来实现高吞吐量、可扩展的沙箱和恶意代码观察。 此外，我们还收集了大量已知的间谍软件程序，以便进行额外的分析。