TC: SMALL: Collaborative Research: Scalable Malware Analysis using Lightweight Virtualization

Principal Investigator:Fabian Monrose
Funding Agency: National Science Foundation
Agency Number:CNS-0915364

Abstract
As the web continues to play an increasing role in information exchange, so too is it becoming the prevailing platform for infecting vulnerable hosts. One commonly deployed strategy for delivering web-malware involves the underhanded tactic of targeting browser vulnerabilities to automatically download and run malicious software upon visiting a website. When popular websites are exploited, the victim base from these so-called drive-by downloads can be far greater than other forms of exploitation because traditional defenses (e.g., firewalls) pose no barrier to infection. Unfortunately, with the plethora of (insecure) web applications being deployed today, it is likely that web servers will continue to be popular targets for exploitation for the foreseeable future.

One of our primary goals is to take an in-depth look at the malware serving network on the Web by building a scalable malware execution and analysis infrastructure. Specifically, we plan to build a resource-efficient host architecture that permits lightweight process monitoring via tracking of interactions with the OS. An important facet of our research direction is to explore a transactional framework that unifies virtualization and logging to allow efficient analysis. In this framework, the granularity of recorded transactions is dynamically adjusted based on execution contexts, aggregating multiple transactions to a single, summarized, transaction whenever possible. Broader impacts of this project will result from the comprehensive analysis of the different aspects of the problem posed by web-based malware, and the tools, methods, and analytical techniques that will ultimately allow for large-scale malware analysis by the security community at large.