Seminars & Colloquia
Department of Information and Software Engineering, George Mason University
"'Out-of-the-Box' Malware Defense"
Wednesday December 12, 2007 09:30 AM
Location: 3211, EB II NCSU Centennial Campus
(Visitor parking instructions)
In this talk, I will present OBSERV -- an 'out-of-the-box' approach that addresses the semantic gap challenge. OBSERV stands for 'Out of the Box with SEmantically Reconstructed View'. More specifically, the OBSERV mechanism -- missing in existing VM platforms -- systematically reconstructs internal semantic views (e.g., files, processes, and kernel modules) of a VM from the outside in a non-intrusive manner. To do that OBSERV casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states and events, so that the semantic view can be reconstructed. With the semantic gap bridged, OBSERV enables a number of powerful malware defense capabilities, three of which will be demonstrated in my talk: (1) invisible system logging; (2) view comparison-based malware detection; and (3) external run of COTS anti-malware software with improved detection accuracy and tamper-resistance. I will also give an overview of my research and education efforts in virtualization-based computer system security and outline my future work.
Host: Peng Ning, NCSU, Computer Science