CAREER: Human-Behavior Driven Malware Detection

职业：人类行为驱动的恶意软件检测

• 批准号: 0953638
• 负责人: Danfeng Yao
• 金额: $ 53万
• 依托单位: Virginia Polytechnic Institute and State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-04-01 至 2016-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0953638&HistoricalAwards=false
• 关键词: CAREER; Human; Behavior; Driven; Malware

Millions of computers worldwide are estimated to be infected by malware (malicious software) and have become ? unknown to their owners ? part of an army of dangerous ?bots?, which are software applications that run automated tasks over the Internet controlled by cyber criminals. These infected computers are coordinated and used by attackers to launch illegal and destructive network activities including identity theft, sending spam (estimated 100 billion spam messages every day), launching distributed denial of service attacks, and committing click fraud. They are also capable of launching information warfare to destroy critical network infrastructure of a nation. Existing malware-detection approaches are limited in their ability to identify and discern malicious bots from legitimate and benign ones. This proliferation and sophistication requires constant vigilance and upgrading. The proposed project introduces a new and paradigm-shifting approach for malware detection, referred to as human-behavior driven malware detection. With this approach, the project will be able to accurately differentiate network behaviors of a legitimate user and malware by identifying and enforcing unique properties of human computer usage on a host.The focus on human-user characteristics, versus those of malware, allows computer security to be realized without the need for continually monitoring ever-changing malware patterns. This approach will complement conventional malware-detecting techniques based on code analysis, data mining, or network trace filtering. The design of a unique and tamper-resistant traffic-enforcement framework will cryptographically verify the provenance information of both system and application-level data utilizing on-chip cryptographic hardware support. This project will implement novel and fine-grained input-traffic correlation analysis that has not been previously applied across a host?s network stack, kernel modules, and input devices. The proposed work will create new knowledge on design principles of reliable operating systems and applications, as well as gain insights to provide seamless integration of network-security techniques into a kernel. These studies will significantly advance the understanding of human-behavior based security and improve the system integrity of all networked computers. The research will build a base of important fundamental knowledge about user-centric security and will provide a compelling and more permanent solution to the increasing need of malware detection. The proposed work will focus on identifying characteristic human-user behaviors (namely application-level user inputs via keyboard and mouse), developing protocols for fine-grained traffic-input analysis, and preventing forgeries and attacks by malware. The PI will design and apply a combination of cryptographic techniques, correlation analysis, and Trusted Platform Module based integrity measures to carry out these tasks.As an integrated component of the project, the PI will conduct outreach and educational activities that aim to increase the general awareness of cyber-security issues in the K-14 community and broaden the interdisciplinary participation of undergraduate and underrepresented groups in computer security research. In addition, the PI will develop a novel interactive software system Sec Ed for teaching computer security and advancing efforts in curriculum development, mentoring, diversity building, and workshop organization.

据估计，全球数百万台计算机被恶意软件（恶意软件）感染并已成为？他们的主人不知道吗？危险机器人的一部分？，哪些软件应用程序通过网络罪犯控制的互联网执行自动任务。这些受感染的计算机是由攻击者协调并使用的，以发起非法和破坏性网络活动，包括身份盗用，发送垃圾邮件（估计每天1000亿次垃圾邮件消息），启动分布式拒绝服务攻击以及进行点击欺诈。他们还能够发起信息战以破坏国家的关键网络基础设施。现有的恶意软件检测方法的识别和识别恶意机器人的能力有限。这种扩散和复杂性需要持续的警惕和升级。拟议的项目引入了一种新的和范式转移的方法，用于恶意软件检测，称为人行为驱动的恶意软件检测。通过这种方法，该项目将能够通过在主机上识别和执行人类计算机使用的独特属性来准确地区分合法用户和恶意软件的网络行为。对人类用户特征的关注与恶意软件相比，该属性允许计算机安全要实现，而无需不断监视不断变化的恶意软件模式。这种方法将基于代码分析，数据挖掘或网络跟踪过滤的常规恶意软件检测技术补充。使用芯片加密硬件支持的独特且防篡改的交通执行框架的设计将在系统上验证系统和应用程序级数据的出处信息。该项目将实施新颖的和细粒的输入 - 交通相关分析，该分析以前尚未在主机网络堆栈，内核模块和输入设备上应用。拟议的工作将为可靠的操作系统和应用程序的设计原理创造新的知识，并获得见解，以将网络安全技术无缝集成到内核中。这些研究将大大提高对基于人行为的安全性的理解，并提高所有网络计算机的系统完整性。这项研究将建立一个有关以用户为中心的安全性的重要基本知识的基础，并将为不断增长的恶意软件检测需求提供一个引人注目的，更永久的解决方案。拟议的工作将着重于识别特征性的人类行为（即通过键盘和鼠标的应用程序级用户输入），开发用于细粒度的流量输入分析的协议，并防止恶意软件的伪造和攻击。 PI将设计和应用加密技术，相关分析和基于值得信赖的平台模块的完整性度量来执行这些任务。作为项目的集成组成部分，PI将进行外展和教育活动，以增加一般在K-14社区中对网络安全问题的认识，并扩大了本科和代表性不足的小组在计算机安全研究中的跨学科参与。 此外，PI将开发一种新颖的交互式软件系统，用于教授计算机安全并推进课程开发，指导，多样性建设和研讨会组织的努力。