TC: Small: Collaborative Research: Scalable Malware Analysis Using Lightweight Virtualization

TC：小型：协作研究：使用轻量级虚拟化进行可扩展恶意软件分析

• 批准号: 0915364
• 负责人: Fabian Monrose
• 金额: $ 25.93万
• 依托单位: University of North Carolina at Chapel Hill
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2013-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0915364&HistoricalAwards=false
• 关键词: TC; Small; Collaborative; Research; Scalable

As the web continues to play an increasing role in informationexchange, so too is it becoming the prevailing platform for infectingvulnerable hosts. One commonly deployed strategy for deliveringweb-malware involves the underhanded tactic of targeting browservulnerabilities to automatically download and run malicious softwareupon visiting a website. When popular websites are exploited, thevictim base from these so-called drive-by downloads can be far greaterthan other forms of exploitation because traditional defenses (e.g.,firewalls) pose no barrier to infection. Unfortunately, with theplethora of (insecure) web applications being deployed today, it islikely that web servers will continue to be popular targets forexploitation for the foreseeable future.One of our primary goals is to take an in-depth look at the malwareserving network on the Web by building a scalable malware executionand analysis infrastructure. Specifically, we plan to build aresource-efficient host architecture that permits lightweight processmonitoring via tracking of interactions with the OS. An importantfacet of our research direction is to explore a transactionalframework that unifies virtualization and logging to allow efficientanalysis. In this framework, the granularity of recorded transactionsis dynamically adjusted based on execution contexts, aggregatingmultiple transactions to a single, summarized, transaction wheneverpossible. Broader impats of this project will result from thecomprehensive analysis of the different aspects of the problem posedby web-based malware, and the tools, methods, and analyticaltechniques that will ultimately allow for large-scale malware analysisby the security community at large.

随着网络在信息交流中发挥越来越大的作用，它也成为感染易受攻击主机的主要平台。 一种通常部署的网络恶意软件分发策略涉及针对浏览器漏洞的秘密策略，以便在访问网站时自动下载并运行恶意软件。 当流行的网站被利用时，这些所谓的“路过”下载的受害者基础可能远远超过其他形式的利用，因为传统的防御（例如，防火墙）对感染不构成障碍。不幸的是，随着今天部署的（不安全的）Web应用程序的过多，在可预见的未来，Web服务器很可能将继续成为流行的攻击目标。我们的主要目标之一是通过构建一个可扩展的恶意软件执行和分析基础设施，深入研究Web上的恶意软件存储网络。具体来说，我们计划建立一个资源高效的主机架构，允许轻量级进程监控通过跟踪与操作系统的交互。我们的研究方向的一个重要方面是探索一个transactionalframework，统一虚拟化和日志记录，以允许efficientanalysis。在这个框架中，记录的事务的粒度根据执行上下文动态调整，尽可能将多个事务聚合为单个汇总的事务。 这个项目的更广泛的影响将来自于对基于Web的恶意软件所带来的问题的不同方面的综合分析，以及最终允许安全社区进行大规模恶意软件分析的工具，方法和分析技术。