CT-ISG: Collaborative Proposal : Enabling Detection of Elusive Malware by Going Out of the Box with Semantically Reconstructed View (OBSERV)

CT-ISG：协作提案：通过语义重建视图 (OBSERV) 开箱即用，能够检测难以捉摸的恶意软件

• 批准号: 0716444
• 负责人: Dongyan Xu
• 金额: $ 13万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2011-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0716444&HistoricalAwards=false
• 关键词: CT; ISG; Collaborative; Proposal; Enabling

There is an alarming trend that elusive malware is armed with techniques that detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based anti-malware systems is that they run inside the very hosts they are protecting, making them vulnerable to malware's counter-detection and subversion. To address this limitation, solutions using virtual machine (VM) technologies advocate placing the malware detection facility outside of the protected VM. However, a dilemma exists between these two approaches: The "out of the box" approach gains tamper resistance at the cost of losing the native, semantic view of the host enjoyed by the "in the box" approach. To resolve the above dilemma, a new approach called OBSERV ("Out of the Box with SEmantically Reconstructed View") is introduced to achieve the advantages of both camps by reconstructing the semantic internal view of a VM from external, low-level observations. OBSERV enables two exciting malware defense opportunities: (1) malware detection by view comparison and (2) real-time detection and stoppage of kernel-level rootkits. The broader impact of this research is two-fold: (1) It will enhance the trustworthiness and effectiveness of widely deployed anti-malware systems. Moreover, OBSERV is expected to be viewed favorably by the anti-virus software industry because of its support for existing off-the-shelf anti-virus software. (2) Results from this research will lead to the development of education materials for undergraduate and graduate courses and for professional training sessions.

有一个令人担忧的趋势，即难以捉摸的恶意软件配备了检测，逃避和破坏受害者的恶意软件检测设施的技术。在防御方面，传统的基于主机的反恶意软件系统的一个基本限制是，它们在它们所保护的主机内部运行，使它们容易受到恶意软件的反检测和颠覆。为了解决这一限制，使用虚拟机（VM）技术的解决方案提倡将恶意软件检测设施放置在受保护的VM之外。然而，这两种方法之间存在着一个困境：“开箱即用”方法获得了防篡改性，但代价是失去了“开箱即用”方法所享有的主机的原生语义视图。为了解决上述困境，一个新的方法，称为OBSERV（“出箱与SEmantically重建视图”）被引入到实现两个阵营的优点，通过重建的语义内部视图的VM从外部，低级别的观察。OBSERV实现了两个令人兴奋的恶意软件防御机会：（1）通过视图比较进行恶意软件检测，以及（2）实时检测和阻止内核级rootkit。这项研究的更广泛的影响是双重的：（1）它将提高广泛部署的反恶意软件系统的可信度和有效性。此外，OBSERV预计将受到反病毒软件行业的青睐，因为它支持现有的现成的反病毒软件。(2)这项研究的结果将导致为本科生和研究生课程以及专业培训课程编写教材。