TC-Small-Virtual Machine Introspection-based Live Forensics for Detection of Malicious Software

用于检测恶意软件的基于 TC-Small-Virtual Machine Introspection 的实时取证

基本信息

批准号：
1016807
负责人：
Golden Richard
金额：
$ 49.9万
依托单位：
University of New Orleans
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2010
资助国家：
美国
起止时间：
2010-09-01 至 2015-12-31
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=1016807&HistoricalAwards=false
关键词：
TC Small Virtual Machine Introspection

项目摘要

Modern malware is used extensively in computer crime and cyber-warfareand poses a serious threat to the cyber-infrastructure of the UnitedStates, at the military, civil, and corporate levels. Malware canemploy a number of techniques to gain access to needed resources andto prevent detection, including hooking or modifying system calls,adding new system calls, inserting new kernel modules, and directlypatching kernel code. Furthermore, malware is increasingly stealthy,being both difficult to detect and to analyze, and current-generationschemes for detection, analysis, and mitigation will becomeincreasingly ineffective as the trend toward additional stealthincreases, with more esoteric infection vectors, complex packingschemes, polymorphism, and metamorphism being employed.This proposal leverages emerging live digital forensics techniques, tocreate powerful techniques for malware detection and mitigation. Theselive forensics techniques deeply analyze memory dumps and buildaccurate models of kernel and application structures that reflect thestate of the machine at the time of an investigation. By integratinglive forensics techniques into a virtual machine monitor (VMM) anddeveloping hardware-supported introspection techniques to analyzesystem state, malware detection facilities can be created that preventmalware from interfering with detection and mitigation strategies.The proposal discusses a number of necessary tasks to support thisresearch agenda, including the design of and development of ahardware-assisted VMM introspection architecture and deep, portablemodeling of kernel data structures and other guest VM state, includingthe filesystem. These modeling techniques can then be used forreal-time verification of critical kernel code, cross-verification ofkernel structures, application state analysis, and protection ofcritical system files. A novel aspect of the proposed research is theuse of commodity Graphics Processing Units (GPUs), protected byhardware directed-I/O virtualization, as malware detectionaccelerators.The intellectual merit of the proposed research is to increase thedepth, flexibility, and capabilities of introspected live forensicsanalysis and to expand the scope of live forensics to the detection ofsophisticated malware. The proposed techniques expandstate-of-the-art in live forensics techniques, virtual machineintrospection, and kernel-level malware detection and will provide afoundation on which to build even more powerful techniques. Thebroader impacts of the proposed work touch all sectors of society,since individual citizens, as well as the law enforcement, military,and corporate communities all benefit from the deployment of moresophisticated malware detection mechanisms. The proposed work alsoenhances the existing curriculum in information assurance at theUniversity of New Orleans, since research results from this effortwill be incorporated into both undergraduate and graduate courses,exposing students to an important area of study in which the supply ofpractitioners falls far short of the demand.For further information see the project web site at the URLhttp://www.cs.uno.edu/~golden/live-forensics.html.

现代恶意软件广泛用于计算机犯罪和网络战，对美国军事、民用和企业层面的网络基础设施构成严重威胁。恶意软件可以采用多种技术来访问所需资源并阻止检测，包括挂钩或修改系统调用、添加新系统调用、插入新内核模块以及直接修补内核代码。此外，恶意软件越来越隐蔽，难以检测和分析，随着更加隐蔽的趋势的增加，当前的检测、分析和缓解方案将变得越来越无效，感染媒介更加深奥，打包方案更加复杂，多态性和变态性也越来越多。该提案利用新兴的实时数字取证技术来创建强大的恶意软件检测和缓解技术。这些实时取证技术深入分析内存转储并构建准确的内核和应用程序结构模型，以反映调查时的机器状态。通过将实时取证技术集成到虚拟机监视器 (VMM) 中并开发硬件支持的自省技术来分析系统状态，可以创建恶意软件检测工具，防止恶意软件干扰检测和缓解策略。该提案讨论了支持此研究议程的许多必要任务，包括硬件辅助 VMM 自省架构的设计和开发，以及内核数据结构和其他来宾 VM 状态（包括文件系统）的深度、可移植建模。这些建模技术可用于关键内核代码的实时验证、内核结构的交叉验证、应用程序状态分析以及关键系统文件的保护。所提议研究的一个新颖方面是使用受硬件定向 I/O 虚拟化保护的商用图形处理单元 (GPU) 作为恶意软件检测加速器。所提议研究的智力优点是增加实时内省的深度、灵活性和能力取证分析并将实时取证范围扩大到检测复杂的恶意软件。所提出的技术扩展了实时取证技术、虚拟机自省和内核级恶意软件检测领域的最先进技术，并将为构建更强大的技术奠定基础。拟议工作的更广泛影响涉及社会各个部门，因为公民个人以及执法、军事和企业界都受益于更复杂的恶意软件检测机制的部署。拟议的工作还增强了新奥尔良大学信息保障方面的现有课程，因为这项工作的研究成果将纳入本科生和研究生课程，使学生接触到一个重要的研究领域，而在该领域，从业人员的供应远远低于需求有关更多信息，请参阅该项目网站，网址为：http://www.cs.uno.edu/~golden/live-forensics.html。