Process Coloring: an Information Flow-Preserving Approach to Malware Investigation
![[topcap]](/images/floating_sidebar_topcap.png){kind=small}
Research Areas
![[bottomcap]](/images/floating_sidebar_bottomcap.png){kind=small}
Cyberinfrastructures are facing increasingly stealthy and sophisticated malware threats. For example, recent reports have suggested that new computer worms and viruses deliberately avoid fast massive propagation. Instead, they lurk in infected machines and inflict contaminations over time, such as rootkit and backdoor installation, botnet creation, and private data theft. Current methods for detection and investigation do not fully exploit the use of information flows tracked at the operating system level. We argue that OS-level information flow is currently an under-utilized tool for malware investigation. We will use operating system information flows to propagate malware break-in provenance information to demonstrate that provenance preservation can help achieve more efficient and effective malware investigation. We will also show that this technique can be used to produce live alerts for malware that existing tools are unable to provide.
Personnel
- Dongyan Xu
- Eugene Spafford
Keywords: process coloring, malware detection
