[Colloq] Joshua Hodosh, Thesis Defense, Thurs. 4/29

Rachel Kalweit rachelb at ccs.neu.edu
Mon Apr 26 16:12:38 EDT 2010


The College of Computer and Information Science Presents:

Masters Thesis Defense:
Speaker: Joshua Hodosh
Date: 4/29 (Thurs.) 4PM
366 WVH

Title: Learning Malicious Activity Using Virtual Machine Introspection

Abstact:
Today's malware has grown from simple applications running in the
background to complex tools embedded themselves into operating systems
for control and stealth. Most malware encountered today incorporates
rootkit-like stealth techniques or includes a rootkit to prevent
intrusion detection systems from finding it.

Steath and evasion are focused on evading malware detectors running
within the operating system, which depend on the OS for information. By
subverting the low-level APIs security tools rely on, malware can
leverage the trust placed in the OS. To impose security, we must ensure
the integrity of the layer of the system that provides information, and
all levels below it. Lower layers thus require less total protection.
The operating system and BIOS are not the lowest level from which we can
extract information we need. By instrumenting hardware, we can view the
raw data and state that the software manipulates and reports. However,
this is difficult and invasive, especially for a broad range of data.

In this work, we present an intrusion detection system that operates on
the data available through virtual machine introspection. We effectively
instrument virtual hardware, allowing all software on the guest to be
untrusted without requiring changes to the physical system. We extract
features from the virtual machine's memory, using known Windows and x86
data structures. The IDS utilizes machine learning to model normal and
malicious activity based on this information. We find that even with
rootkit-like security tools included in the model of normal activity, we
are able to accurately identify when malware is running on the system,
with false positive rates below 2% and false negative rates below 4%. We
show that our system is effective when using either a support vector
machine or the k-nearest neighbors algorithm.

Committee:
Prof. Javed Aslam
Prof. David Kaeli
Christopher Connelly (MIT Lincoln Laboratory, external member)




More information about the Colloq mailing list