2008 Poster Sessions : Correlating Low-Level Events to Identify High-Level Bot Behaviors

Student Name : Elizabeth Stinson
Advisor : John Mitchell
Research Areas: Computer Systems
Commercially dominant malware-detection systems rely largely on syntactic signatures consisting of particular byte sequences. These signatures are generated via time-consuming analysis of known malware variants whose prevalence exceeds a certain threshold. Because of their emphasis on malleable properties of malware, these host-based systems are vulnerable to a variety of obfuscation techniques. Research indicates that the most popular host-based anti-malware products fail to detect more than 30% of malware seen in the wild.

We build on previous research which characterized the remote-control behavior of malicious bots by identifying system call invocations on data received over the network. Whereas that work identified individual system call invocations as likely to be malicious, our current research explores the feasibility of correlating related system calls in order to identify high-level, semantically meaningful actions, such as "acting like a proxy" or "downloading and executing a program". A typical malicious bot provides commands corresponding to each of these actions.

We specify these high-level actions via system call dependence graphs with constraints on the ordering as well as the arguments of the constituent system calls (e.g. def-use relationships), as appropriate.
Our system traces the execution of processes, performing data-flow analysis and identifying when a process's execution trace matches any of the specified graphs. We use bots' command sets as inspiration in our construction of high-level behavior graphs.

Liz got her MSCS with Distinction in Research at Stanford under John Mitchell and has worked in industry at both Juniper Networks and RSA. She is a first-year PhD student interested in systems, security, and behavior-based malware detection.