Process Coloring: Information-Flow Preserving Approach to Malware Investigation
Principal Investigator: Dongyan Xu
Funding Source: Air Force Research Laboratory (AFRL) and Disruptive Technology Office (DTO) under agreement number FA8750-07-2-0041.
To detect and investigate computer malware attacks against critical cyber infrastructures, the following capabilities are desirable: (1) raising timely alerts to trigger a malware investigation, (2) determining the break-in point of a malware incident, i.e. the vulnerable service from which the malware infiltrates the victim, and (3) identifying all contaminations inflicted by the malware during its residence in the victim. In this project, we argue that the malware break-in provenance information has not been exploited in achieving these capabilities and thus propose process coloring, a new approach that preserves malware break-in provenance information and propagates it along operating system level information flows. More specifically, process coloring assigns a "color", a unique system-wide identifier, to each remotely accessible server process. The color will be either inherited by spawned child processes or diffused transitively through process actions. Process coloring achieves three new capabilities: color-based malware warning generation, break-in point identification, and log file partitioning. The virtualization-based implementation of process coloring enables more tamper-resistant log collection, storage, and real-time monitoring. Beyond the overhead introduced by virtualization, process coloring only incurs very small additional system overhead. Experiments with real-world malware (e.g., worms and rootkits) demonstrate the advantages of processing coloring over non-provenance-preserving tools.
Other PIs: Eugene H. Spafford Xuxian Jiang, George Mason University
Students: Ryan D. Riley Larissa A. O'Brien
Xuxian Jiang, Aaron Walters, Florian Buchholz, Dongyan Xu, Yi-Min Wang, Eugene H. Spafford, "Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach", Proceedings of IEEE International Conference on Distributed Computing Systems (ICDCS 2006), Lisboa, Portugal, July 2006.
Xuxian Jiang, Florian Buchholz, Aaron Walters, Dongyan Xu, Yi-Min Wang, Eugene H. Spafford, "Tracing Worm Break-in and Contaminations via Process Coloring: A Provenance-Preserving Approach", to appear in IEEE Transactions on Parallel and Distributed Systems, 2008.
Keywords: malware detection, process coloring