Process Coloring: An Information Flow-Preserving Approach to Malware Investigation
Final technical rept. Jun 2007-Sep 2009
PURDUE UNIV LAFAYETTE IN
Pagination or Media Count:
Process Coloring is an information-preserving, provenance-aware software system for computer malware detection and investigation. By tainting each application process with a distinct color and propagating the color to other processes or system objects along with system call operations, Process Coloring preserves the provenance of malware attacks namely, Through which process did a malware program infiltrate the system. Process Coloring enables three useful malware defense capabilities 1 color-based malware detection, 2 color-based malware break-in point identification, and 3 color-based log partitioning. Implemented on top of a virtualization platform, Process Coloring achieves strong tamper-resistance as the logs generated by the protected virtual machine are stored and processed outside the machine under attack. Finally, Process Coloring can be integrated with techniques that track information flows inside a program. The resultant integrated system achieves better malware detection accuracy by eliminating false positive alerts, especially for client-side environments. This report gives an overview of the Process Coloring project and presents the design, implementation, and evaluation highlights in the research effort.
- Computer Programming and Software
- Computer Systems Management and Standards