{"63422":{"#nid":"63422","#data":{"type":"event","title":"PhD Thesis Proposal Announcement","body":[{"value":"\u003Cp\u003E\u003Cstrong\u003ETitle:\u003C\/strong\u003E Efficient Monitoring and Attribution of Malicious Behaviors\u003Cbr \/\u003E\u003Cbr \/\u003EAbhinav Srivastava\u003Cbr \/\u003EGeorgia Tech Information Security Center\u003Cbr \/\u003ESchool of Computer Science\u003Cbr \/\u003EGeorgia Institute of Technology\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cstrong\u003ECommittee: \u003C\/strong\u003E\u003Cbr \/\u003EProf. Jonathon Giffin (Advisor, School of Computer Science, Georgia Institute of Technology)\u003Cbr \/\u003EProf. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)\u003Cbr \/\u003EProf. Patrick Traynor (School of Computer Science, Georgia Institute of Technology)\u003Cbr \/\u003EProf. Wenke Lee (School of Computer Science, Georgia Institute of Technology)\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cstrong\u003EThesis Summary:\u003C\/strong\u003E\u003Cbr \/\u003EWorldwide\n computer systems continue to execute software that exhibits malicious \nnetwork and host behaviors. On networks, the visible effects of current \nattacks regularly manifest as suspicious traffic. On hosts, malware \ninstalls malicious kernel drivers, subverts the execution of benign \nprocesses (parasitic behaviors), and tampers with the existing \nhost-based security utilities. The traditional host-based security \nsoftware is unable to detect current generation malware. These security \nsolutions are designed to detect and prevent application-level attacks. \nCurrent attacks regularly bypass existing protections by installing \nthemselves in the kernel and invoking kernel functionality directly. \nThey use kernel code illegitimately and modify kernel data illicitly. To\n counter these malware, it is required to monitor behaviors of kernel \nmalware and protect kernel data from them.\u003Cbr \/\u003E\u003Cbr \/\u003ENetwork-based \ndetectors can effectively identify machines participating in the ongoing\n attacks by monitoring the traffic to and from the systems. However, \nthey fail to determine the malicious processes associated with the \nsuspicious traffic. Host-based detectors can identify malicious \nprocesses, but they are often disabled by knowledgeable attackers. The \nknowledge of identifying malicious processes attached to suspicious \ntraffic creates the foundation for successful remediation.\u003Cbr \/\u003E\u003Cbr \/\u003EMy \nresearch focuses on attributing malicious network behaviors to \nhost-level software and monitoring malicious behaviors occurring at \nuser- and kernel-level. The proper attribution of malicious behaviors \ncreates the foundation for subsequent surgical remediation of the \nmalware infection. The ability to observe the execution of untrusted or \nmalicious drivers improves the overall security of operating systems. In\n order to resist direct attacks from kernel-level malware, I take \nadvantage of layers beneath OS code, such as a hypervisor or virtual \nmachine monitor (VMM).\u003Cbr \/\u003E\u003Cbr \/\u003EThis dissertation proposal describes four \nunique contributions in host-based computer security. In the first \ncontribution, I attributed malicious network behaviors to host-level \nprocesses associated with the malicious traffic. This successful \nattribution allowed me to create a tamper-resistant application-level \nfirewall. Though the attribution identifies malicious processes, malware\n instances often exhibit parasitic behaviors in which they inject \nmalicious code into benign processes to subvert their runtime behaviors.\n In my second contribution, I augmented the attribution software with a \nhost-level monitor that detects parasitic behaviors occurring at user- \nand kernel-level. In my third contribution, I designed a system that \nmonitors the execution of untrusted drivers. It isolates drivers in a \nseparate address space, rewrites binary kernel and driver code at \nruntime, and generates new code on demand to reduce the monitoring \noverhead. Finally, in my last contribution, I am designing a \nsystem that prevents illegal modifications of critical kernel data from \nmalicious drivers. Together, these contributions produce a unified \nresearch goal -- improving host-based security against user- and \nkernel-level malware\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":"","uid":"27345","created_gmt":"2011-01-07 12:53:13","changed_gmt":"2016-10-08 01:53:40","author":"Cristina Gonzalez","boilerplate_text":"","field_publication":"","field_article_url":"","field_event_time":{"event_time_start":"2011-01-13T12:00:00-05:00","event_time_end":"2011-01-13T14:00:00-05:00","event_time_end_last":"2011-01-13T14:00:00-05:00","gmt_time_start":"2011-01-13 17:00:00","gmt_time_end":"2011-01-13 19:00:00","gmt_time_end_last":"2011-01-13 19:00:00","rrule":null,"timezone":"America\/New_York"},"extras":[],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[{"id":"11038","name":"CoC PhD Thesis Proposal Announcement"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[{"id":"1795","name":"Seminar\/Lecture\/Colloquium"}],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":[],"slides":[],"orientation":[],"userdata":""}}}