CAREER: Human-Behavior Driven Malware Detection

职业：人类行为驱动的恶意软件检测

• 批准号: 0953638
• 负责人: Danfeng Yao
• 金额: $ 53万
• 依托单位: Virginia Polytechnic Institute and State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-04-01 至 2016-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0953638&HistoricalAwards=false
• 关键词: CAREER; Human; Behavior; Driven; Malware

Millions of computers worldwide are estimated to be infected by malware (malicious software) and have become ? unknown to their owners ? part of an army of dangerous ?bots?, which are software applications that run automated tasks over the Internet controlled by cyber criminals. These infected computers are coordinated and used by attackers to launch illegal and destructive network activities including identity theft, sending spam (estimated 100 billion spam messages every day), launching distributed denial of service attacks, and committing click fraud. They are also capable of launching information warfare to destroy critical network infrastructure of a nation. Existing malware-detection approaches are limited in their ability to identify and discern malicious bots from legitimate and benign ones. This proliferation and sophistication requires constant vigilance and upgrading. The proposed project introduces a new and paradigm-shifting approach for malware detection, referred to as human-behavior driven malware detection. With this approach, the project will be able to accurately differentiate network behaviors of a legitimate user and malware by identifying and enforcing unique properties of human computer usage on a host.The focus on human-user characteristics, versus those of malware, allows computer security to be realized without the need for continually monitoring ever-changing malware patterns. This approach will complement conventional malware-detecting techniques based on code analysis, data mining, or network trace filtering. The design of a unique and tamper-resistant traffic-enforcement framework will cryptographically verify the provenance information of both system and application-level data utilizing on-chip cryptographic hardware support. This project will implement novel and fine-grained input-traffic correlation analysis that has not been previously applied across a host?s network stack, kernel modules, and input devices. The proposed work will create new knowledge on design principles of reliable operating systems and applications, as well as gain insights to provide seamless integration of network-security techniques into a kernel. These studies will significantly advance the understanding of human-behavior based security and improve the system integrity of all networked computers. The research will build a base of important fundamental knowledge about user-centric security and will provide a compelling and more permanent solution to the increasing need of malware detection. The proposed work will focus on identifying characteristic human-user behaviors (namely application-level user inputs via keyboard and mouse), developing protocols for fine-grained traffic-input analysis, and preventing forgeries and attacks by malware. The PI will design and apply a combination of cryptographic techniques, correlation analysis, and Trusted Platform Module based integrity measures to carry out these tasks.As an integrated component of the project, the PI will conduct outreach and educational activities that aim to increase the general awareness of cyber-security issues in the K-14 community and broaden the interdisciplinary participation of undergraduate and underrepresented groups in computer security research. In addition, the PI will develop a novel interactive software system Sec Ed for teaching computer security and advancing efforts in curriculum development, mentoring, diversity building, and workshop organization.

据估计，全球有数百万台计算机受到恶意软件（malware）的感染，并已成为？不为主人所知？危险的军队中的一员机器人？这些软件应用程序在网络犯罪分子控制的互联网上运行自动化任务。这些受感染的计算机被攻击者协调和使用，以发起非法和破坏性的网络活动，包括身份盗窃，发送垃圾邮件（估计每天有1000亿条垃圾邮件），发起分布式拒绝服务攻击和进行点击欺诈。他们还能够发动信息战，摧毁一个国家的关键网络基础设施。现有的恶意软件检测方法在识别和区分恶意机器人与合法和良性机器人的能力方面受到限制。这种扩散和复杂化需要不断提高警惕和改进。拟议的项目引入了一种新的和范式转移的恶意软件检测方法，被称为人类行为驱动的恶意软件检测。通过这种方法，该项目将能够通过识别和强制执行主机上人类计算机使用的独特属性来准确区分合法用户和恶意软件的网络行为。对人类用户特征的关注与恶意软件的关注，使计算机安全得以实现，而无需持续监控不断变化的恶意软件模式。这种方法将补充基于代码分析、数据挖掘或网络跟踪过滤的传统恶意软件检测技术。一个独特的和防篡改的交通执法框架的设计将加密验证的起源信息的系统和应用程序级的数据，利用片上加密硬件支持。该项目将实现新颖的和细粒度的输入流量相关性分析，以前没有应用于整个主机？的网络堆栈、内核模块和输入设备。拟议的工作将创造新的知识，可靠的操作系统和应用程序的设计原则，以及获得见解，提供无缝集成的网络安全技术到一个内核。这些研究将大大推进对基于人类行为的安全性的理解，并提高所有联网计算机的系统完整性。这项研究将建立一个关于以用户为中心的安全性的重要基础知识的基础，并将为日益增长的恶意软件检测需求提供一个令人信服的、更持久的解决方案。拟议的工作将侧重于识别特征人类用户行为（即通过键盘和鼠标的应用程序级用户输入），开发细粒度流量输入分析协议，并防止恶意软件的入侵和攻击。PI将设计并应用加密技术、相关性分析和基于可信平台模块的完整性措施的组合来执行这些任务。作为该项目的集成组件，PI将开展外联和教育活动，旨在提高公众对知识产权领域网络安全问题的认识，14社区和扩大本科生和代表性不足的群体在计算机安全研究的跨学科参与。 此外，PI将开发一种新型的交互式软件系统Sec艾德，用于计算机安全教学，并在课程开发、指导、多样性建设和研讨会组织方面做出努力。