TC-Small-Virtual Machine Introspection-based Live Forensics for Detection of Malicious Software

用于检测恶意软件的基于 TC-Small-Virtual Machine Introspection 的实时取证

• 批准号: 1016807
• 负责人: Golden Richard
• 金额: $ 49.9万
• 依托单位: University of New Orleans
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2015-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1016807&HistoricalAwards=false
• 关键词: TC; Small; Virtual; Machine; Introspection

Modern malware is used extensively in computer crime and cyber-warfareand poses a serious threat to the cyber-infrastructure of the UnitedStates, at the military, civil, and corporate levels. Malware canemploy a number of techniques to gain access to needed resources andto prevent detection, including hooking or modifying system calls,adding new system calls, inserting new kernel modules, and directlypatching kernel code. Furthermore, malware is increasingly stealthy,being both difficult to detect and to analyze, and current-generationschemes for detection, analysis, and mitigation will becomeincreasingly ineffective as the trend toward additional stealthincreases, with more esoteric infection vectors, complex packingschemes, polymorphism, and metamorphism being employed.This proposal leverages emerging live digital forensics techniques, tocreate powerful techniques for malware detection and mitigation. Theselive forensics techniques deeply analyze memory dumps and buildaccurate models of kernel and application structures that reflect thestate of the machine at the time of an investigation. By integratinglive forensics techniques into a virtual machine monitor (VMM) anddeveloping hardware-supported introspection techniques to analyzesystem state, malware detection facilities can be created that preventmalware from interfering with detection and mitigation strategies.The proposal discusses a number of necessary tasks to support thisresearch agenda, including the design of and development of ahardware-assisted VMM introspection architecture and deep, portablemodeling of kernel data structures and other guest VM state, includingthe filesystem. These modeling techniques can then be used forreal-time verification of critical kernel code, cross-verification ofkernel structures, application state analysis, and protection ofcritical system files. A novel aspect of the proposed research is theuse of commodity Graphics Processing Units (GPUs), protected byhardware directed-I/O virtualization, as malware detectionaccelerators.The intellectual merit of the proposed research is to increase thedepth, flexibility, and capabilities of introspected live forensicsanalysis and to expand the scope of live forensics to the detection ofsophisticated malware. The proposed techniques expandstate-of-the-art in live forensics techniques, virtual machineintrospection, and kernel-level malware detection and will provide afoundation on which to build even more powerful techniques. Thebroader impacts of the proposed work touch all sectors of society,since individual citizens, as well as the law enforcement, military,and corporate communities all benefit from the deployment of moresophisticated malware detection mechanisms. The proposed work alsoenhances the existing curriculum in information assurance at theUniversity of New Orleans, since research results from this effortwill be incorporated into both undergraduate and graduate courses,exposing students to an important area of study in which the supply ofpractitioners falls far short of the demand.For further information see the project web site at the URLhttp://www.cs.uno.edu/~golden/live-forensics.html.

现代恶意软件被广泛用于计算机犯罪和网络战，对美国的军事、民用和企业层面的网络基础设施构成严重威胁。恶意软件可以采用许多技术来访问所需的资源并阻止检测，包括钩接或修改系统调用、添加新的系统调用、插入新的内核模块和直接修补内核代码。此外，恶意软件越来越隐蔽，难以检测和分析，当前一代的检测、分析和缓解方案将变得越来越无效，因为更多的隐蔽趋势的增加，更深奥的感染载体，复杂的包装方案，多态性和变形被采用。该提案利用新兴的实时数字取证技术，创建强大的恶意软件检测和缓解技术。这些自动取证技术深入分析内存转储，并构建内核和应用程序结构的准确模型，这些模型反映了调查时机器的状态。通过将实时取证技术集成到虚拟机监视器（VMM）中，并开发硬件支持的内省技术来分析系统状态，可以创建恶意软件检测设施，防止恶意软件干扰检测和缓解策略。该提案讨论了支持该研究议程的一些必要任务，包括硬件辅助VMM自省架构的设计和开发，以及内核数据结构和其他来宾虚拟机状态（包括文件系统）的深度可移植建模。然后，这些建模技术可以用于关键内核代码的实时验证、内核结构的交叉验证、应用程序状态分析和关键系统文件的保护。提出的研究的一个新颖方面是使用商品图形处理单元（gpu），由硬件定向i /O虚拟化保护，作为恶意软件检测加速器。提出的研究的智力价值在于增加内省现场取证分析的深度、灵活性和能力，并将现场取证的范围扩展到复杂恶意软件的检测。提出的技术扩展了实时取证技术、虚拟机内省和内核级恶意软件检测的最新技术，并将为构建更强大的技术提供基础。拟议工作的广泛影响涉及社会的各个部门，因为个人公民，以及执法部门，军队和企业社区都受益于部署更复杂的恶意软件检测机制。拟议的工作还加强了新奥尔良大学现有的信息保障课程，因为这项工作的研究成果将被纳入本科和研究生课程，让学生接触到一个重要的研究领域，在这个领域，从业人员的供应远远不足。欲了解更多信息，请参阅项目网站网址：https://www.cs.uno.edu/~golden/live-forensics.html。