| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | February 20, 2009 |
| Latest Amendment Date: | January 30, 2013 |
| Award Number: | 0845042 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | March 1, 2009 |
| End Date: | December 31, 2014 (Estimated) |
| Total Intended Award Amount: | $400,000.00 |
| Total Awarded Amount to Date: | $400,000.00 |
| Funds Obligated to Date: |
FY 2010 = $73,396.00 FY 2011 = $82,404.00 FY 2012 = $80,782.00 FY 2013 = $89,381.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
4400 UNIVERSITY DR FAIRFAX VA US 22030-4422 (703)993-2295 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
4400 UNIVERSITY DR FAIRFAX VA US 22030-4422 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
ADVANCED NET INFRA & RSCH, TRUSTWORTHY COMPUTING, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001011DB NSF RESEARCH & RELATED ACTIVIT 01001112DB NSF RESEARCH & RELATED ACTIVIT 01001213DB NSF RESEARCH & RELATED ACTIVIT 01001314DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Abstract of Proposal 0845042
CAREER: Malware Immunization and Forensics Based on Another Sense of Self
Xinyuan Wang, George Mason University
Despite recent advances in malware defense, computer malwares
(e.g., virus, worm, botnets, rootkit, spyware) continue to pose
serious threats to all computers and networks. Besides being more
damaging, modern malwares (e.g., blue pill, agobot) are becoming
increasingly stealthy and evasive. This has made it increasingly
difficult to protect our computer systems and networks from malwares
and ensure the trustworthiness of our mission critical systems.
Our natural immune systems are very effective in protecting our
body from intrusions by (almost endless) variations of pathogens.
Our immunities depend on the ability to distinguish our own cells
(i.e., "self") from all others (i.e., "non-self"). Inspired by the
self-nonself discrimination in the natural immune systems, this
research explores a new direction in building artificial malware
immunization and malware forensics capabilities based on "another
sense of self", which is essentially a unique mark to be assigned
to the programs to be protected. Based on such an actively assigned
"another sense of self", the "immunized" program is able to
detect application level malwares effectively and efficiently. In
addition, the actively assigned "another sense of self" enables
new malware forensics capabilities that were not possible before.
Since the artificial malware immunization technique does not require
any specific knowledge of the malwares, it has the potential to be
effective against new and previously unknown malwares. The new
artificial malware immunization techniques and tools to be developed
could automatically make many applications (e.g., Web server) immune
to many malwares and thus greatly improve the trustworthiness of
computer systems.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Inspired by the self-nonself discrimination in the natural immune systems, this project has explored a new direction in building artificial malware immunization and malware forensics capabilities based on dynamically assigned sense of self, which is essentially a unique mark dynamically assigned to the protected code and its data access. The unique another sense of self enables us to effectively and efficiently detect any (including the first) system call invoked by the malware, which does not have the unique dynamically assigned sense of self assigned to the immunized program.
Furthermore, our artificial malware immunization is able to pinpoint the first and all the offending actions by the malware in real-time. For example, the artificial malware immunization can identify the first and all the system calls triggered by the malware in real-time. By correlating the dynamically assigned sense of self across processes and threads, we are able to pinpoint the first and all the shell commands issues by the malware that attacks the immunized application. This unique feature enables new real-time malware forensics capabilities that were not possible in the past.
To enable effective malware forensics, we have investigated how to automatically recover the malware code from the memory dump upon real-time detection of the malware attack. We have developed a tool that is able to automatically and accurately pinpoint the exact start and boundary of the attack code even if it is mingled with random bytes in the memory dump. In addition, our tool can handle combination of a number of code obfuscation encodings. To the best of our knowledge, our tool is the first to be able to automatically extract the code protected by Metasploit's polymorphic xor additive feedback encoder Shikata-Ga-Nai, which dynamically modifies the instructions in the current basic block.
The project has supported one PhD student conducting research on malware immunication and forensics till completion of his PhD in Computer Science. The research project has prepared one PhD student to become a researcher employed by a major industry research organization.
This project has resulted 2 journal publications, 3 conference papers (one of which won best paper award) and 1 workshop paper, 1 PhD dissertation, 1 awarded US patent and 1 pending US patent, 1 evaluation license and two startup companies negotiating the license of the patented technologies developed in this research project.
Last Modified: 01/10/2015
Modified by: Xinyuan Wang
Please report errors in award information by writing to: awardsearch@nsf.gov.
