Show simple item record

dc.contributor.authorSrivastava, Abhinaven_US
dc.date.accessioned2011-09-22T17:50:39Z
dc.date.available2011-09-22T17:50:39Z
dc.date.issued2011-07-08en_US
dc.identifier.urihttp://hdl.handle.net/1853/41161
dc.description.abstractWorldwide computer systems continue to execute malicious software that degrades the systemsâ performance and consumes network capacity by generating high volumes of unwanted traffic. Network-based detectors can effectively identify machines participating in the ongoing attacks by monitoring the traffic to and from the systems. But, network detection alone is not enough; it does not improve the operation of the Internet or the health of other machines connected to the network. We must identify malicious code running on infected systems, participating in global attack networks. This dissertation describes a robust and secure approach that identifies malware present on infected systems based on its undesirable use of network. Our approach, using virtualization, attributes malicious traffic to host-level processes responsible for the traffic. The attribution identifies on-host processes, but malware instances often exhibit parasitic behaviors to subvert the execution of benign processes. We then augment the attribution software with a host-level monitor that detects parasitic behaviors occurring at the user- and kernel-level. User-level parasitic attack detection happens via the system-call interface because it is a non-bypassable interface for user-level processes. Due to the unavailability of one such interface inside the kernel for drivers, we create a new driver monitoring interface inside the kernel to detect parasitic attacks occurring through this interface. Our attribution software relies on a guest kernelâ s data to identify on-host processes. To allow secure attribution, we prevent illegal modifications of critical kernel data from kernel-level malware. Together, our contributions produce a unified research outcome --an improved malicious code identification system for user- and kernel-level malware.en_US
dc.publisherGeorgia Institute of Technologyen_US
dc.subjectSystems securityen_US
dc.subjectVirtualizationen_US
dc.subjectMalware detectionen_US
dc.subjectSecurity architectureen_US
dc.subject.lcshMalware (Computer software)
dc.subject.lcshDenial of service attacks
dc.subject.lcshCyberterrorism
dc.subject.lcshComputer viruses
dc.subject.lcshKernel functions
dc.titleRobust and secure monitoring and attribution of malicious behaviorsen_US
dc.typeDissertationen_US
dc.description.degreePh.D.en_US
dc.contributor.departmentComputer Scienceen_US
dc.description.advisorCommittee Chair: Giffin, Jonathon; Committee Member: Ahamad, Mustaque; Committee Member: Blough, Douglas; Committee Member: Lee, Wenke; Committee Member: Traynor, Patricken_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record