CT-ISG: Collaborative Proposal : Enabling Detection of Elusive Malware by Going Out of the Box with Semantically Reconstructed View (OBSERV)

CT-ISG：协作提案：通过语义重建视图 (OBSERV) 开箱即用，能够检测难以捉摸的恶意软件

• 批准号: 0716444
• 负责人: Dongyan Xu
• 金额: $ 13万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0716444&HistoricalAwards=false
• 关键词: CT; ISG; Collaborative; Proposal; Enabling

There is an alarming trend that elusive malware is armed with techniques that detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based anti-malware systems is that they run inside the very hosts they are protecting, making them vulnerable to malware's counter-detection and subversion. To address this limitation, solutions using virtual machine (VM) technologies advocate placing the malware detection facility outside of the protected VM. However, a dilemma exists between these two approaches: The "out of the box" approach gains tamper resistance at the cost of losing the native, semantic view of the host enjoyed by the "in the box" approach. To resolve the above dilemma, a new approach called OBSERV ("Out of the Box with SEmantically Reconstructed View") is introduced to achieve the advantages of both camps by reconstructing the semantic internal view of a VM from external, low-level observations. OBSERV enables two exciting malware defense opportunities: (1) malware detection by view comparison and (2) real-time detection and stoppage of kernel-level rootkits. The broader impact of this research is two-fold: (1) It will enhance the trustworthiness and effectiveness of widely deployed anti-malware systems. Moreover, OBSERV is expected to be viewed favorably by the anti-virus software industry because of its support for existing off-the-shelf anti-virus software. (2) Results from this research will lead to the development of education materials for undergraduate and graduate courses and for professional training sessions.

有一种令人担忧的趋势，难以捉摸的恶意软件配备了检测、逃避和破坏受害者恶意软件检测设施的技术。在防御方面，传统的基于主机的反恶意软件系统的一个根本限制是它们在它们所保护的主机内部运行，使得它们容易受到恶意软件的反检测和破坏。为了解决这一限制，使用虚拟机 (VM) 技术的解决方案主张将恶意软件检测设施放置在受保护的 VM 之外。然而，这两种方法之间存在一个困境：“开箱即用”方法获得了防篡改能力，但代价是失去了“开箱即用”方法所享有的主机的本机语义视图。为了解决上述困境，引入了一种名为 OBSERV（“开箱即用的语义重构视图”）的新方法，通过从外部、低级观察重构 VM 的语义内部视图来实现两个阵营的优点。 OBSERV 实现了两种令人兴奋的恶意软件防御机会：(1) 通过视图比较进行恶意软件检测，(2) 实时检测和停止内核级 Rootkit。这项研究的更广泛影响有两个方面：(1) 它将增强广泛部署的反恶意软件系统的可信度和有效性。此外，由于OBSERV支持现有的现成防病毒软件，预计将受到防病毒软件行业的青睐。 (2) 这项研究的结果将有助于开发本科生和研究生课程以及专业培训课程的教育材料。