Conference Paper

Hunting Trojan Horses.

DOI: 10.1145/1181309.1181312 Conference: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, ASID 2006, San Jose, California, USA, October 21, 2006
Source: DBLP

ABSTRACT Abstract In this report we present HTH (Hunting Trojan Horses), a security framework for detecting Trojan Horses and Backdoors. The framework,is composed,of two main,parts: 1) Harrier – an application,security monitor,that performs,run-time monitoring to dynamically,collect execution-related data, and 2) Secpert – a security-specific Expert System based on CLIPS, which analyzes the events collected by Harrier. Our main,contributions,to the security research are three-fold. First we identify common malicious behaviors, patterns, and characteristics of Trojan Horses and Backdoors. Second we develop a security policy that can identify such malicious behavior and open the door for effectively using expert systems to implement complex security policies. Third, we construct a prototype,that successfully detects Trojan Horses and Backdoors. 1,Introduction Computer,attacks grew,at an alarming,rate in 2004 [26] and this rate is expected,to rise.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Zero day attacks and hidden Malware pose a grave threat to computer users. To date, widespread security measures such as anti-virus packages and firewalls have proven to be ineffective in guarding against these types of malware. New security measures are essential to secure computer systems, protect digital information, and restore user confidence. Security mechanisms which are able to differentiate regular (normal) behavior from malicious (abnormal) behavior promise new ways to effectively detect, counter and ultimately prevent the execution of zero day attacks and hidden malware. In this thesis we explore the utility of different software semantics for detecting malicious behavior. Our methods significantly improve upon previous work done in the area of Host-based Intrusion Detection Systems (HIDS). We present novel methods which utilize semantics available in different abstraction levels to detect malicious behavior and provide distinct advantages when compared to the current state of the art HIDS. Our first approach, Tracks, is able to differentiate normal from abnormal behavior by extracting high-level semantics (application and operating system semantics) obtained and analyzed during runtime. Tracks is designed to accurately identify and capture Trojan Horses, Backdoors and includes a new security policy engine. We demonstrate the utility of this approach and report on both detection rates and performance impacts. VGuard, our second security mechanism, utilizes the VMM (Virtual Machine Monitor) layer to extract very low-level semantics during runtime. VGuard can overcome some of the limitations of the semantic gap imposed when working at this level of abstraction by employing advanced data mining techniques. When we combine VMM profiling with sophisticated feature-based machine learning algorithms, we are able to accurately identify security intrusions in compute-server applicances, while introducing minimal execution overhead.
    Computer Engineering Dissertations.
  • [Show abstract] [Hide abstract]
    ABSTRACT: The focus of this paper will demonstrate the need to clearly define and segregate various user space environments in the enterprise network infrastructure with controls ranging from administrative to technical and still provide the various services needed to facilitate the work space environment and administrative requirements of an enterprise system. Standards assumed are industry practices and associated regulatory requirements with implementations as they apply to the various contextual applications. This is a high level approach to understanding the significance and application of an effective secure network infrastructure. The focus is on end user needs and the associated services to support those needs. Conceptually user space is a virtual area allocated to the end user needs identified with specific services to support those needs by creating a virtual playground. To manage risk, the concept of creating a "security threat gateway (STG)" isolates and secures each user space with its associated services. Emphasis will be placed on the functional managerial process and application of the STG, safeguarding one user space from another, to facilitate the use of the needed services to perform the operational tasks of the organization. When user's needs and associated components are clearly identified, then it is possible for anyone to use this model as a template, to guide them in creating an effective strategy for their own network security. This approach is practical in orientation and application, focusing on a high level perspective and assumes the reader already has a low level technical background for a tactical implementation in mitigating risk to the enterprise network infrastructure.
  • [Show abstract] [Hide abstract]
    ABSTRACT: The focus of this paper is to identify dominant trends of information security threats to the Internet 2001 to 2007. This paper is intended to provide an understanding of the new emphasis of attacks through use of robotic networks and how some users and organizations are already preparing a response using innovative visualization techniques in conjunction with traditional methods. The scope of research will focus on basic enterprise level services that are commonly provided by various corporations; e.g., e-mail, browser applications, wireless and mobile devices, IP telephony, and online banking. The research will first review the network infrastructure common to most corporate organizations and assume basic enterprise components and functionality in response to the current security threats. The second emphasis will consider the impact of malware robotic networks (Botnets and Puppetnets) on the corporate network infrastructure and how to address these threats with new and innovative techniques. This approach is pragmatic in application and focuses on assimilation of existing data to present a functional rationale of attacks to anticipate and prepare for this coming year.

Full-text (5 Sources)

Available from
May 20, 2014