Enabling Internet Malware Investigation and Defense Using Virtualization

Internet malware remains a top threat to the Internet today, as clearly demonstrated by the recent large-scale Internet worm outbreaks (e.g., the MSBlaster worm in 2003 and the Sasser worm in 2004). Moreover, every new wave of outbreak reveals the rapid evolution of Internet malware in terms of speed, virulence, and sophistication. Unfortunately, our capability of investigating and defending against Internet malware has not seen the same pace of advancement since the Code Red episode of mid-2001.

In this talk, I will present my research work on an integrated, virtualization-based framework for malware investigation and defense. First, I will introduce a virtualization-based honeyfarm and reverse honeyfarm architecture, called Collapsar, that operates as the front-end “trap” of various malware attacks. Collapsar is, to the best of our knowledge, the first honeyfarm implementation that enables centralized management of honeypots while still preserving a (virtual) distributed presence. Next, I will present vGround, the back-end virtual “playground” of captured worms and malware. vGround enables destruction-oriented experiments with real-world malware that were previously expensive, inefficient, or even impossible to conduct. In particular, based on the dynamic infection behavior of real worms revealed by vGround, we have defined a novel behavioral footprinting model for worm characterization and identification, which complements the state-of-the-art content-based signature approach. Our recent enhancement to vGround is a provenance-aware logging mechanism (called process coloring) that achieves higher efficiency and accuracy than existing systems in tracing malware break-in and contaminations. Finally, I will briefly describe my latest work on virtualizing the run-time environment to defend against code-injection attacks by Internet malware, as well as my future research plan.

Speaker Details

Xuxian Jiang is a Ph.D. Candidate in the Department of Computer Science at Purdue University and will be graduating in the summer of 2006. He is a core student member of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. He received his BS and MS degrees from Xi’an Jiaotong University, China. His research interests include system and network security, network virtualization, and virtual distributed computing. Further information is available at http://www.cs.purdue.edu/~jiangx.

Date:
Speakers:
Xuxian Jiang
Affiliation:
Purdue University
    • Portrait of Jeff Running

      Jeff Running