Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

摘要

Process Coloring is an information-preserving, provenance-aware software system for computer malware detection and investigation. By tainting each application process with a distinct color and propagating the color to other processes or system objects along with system call operations, Process Coloring preserves the 'provenance' of malware attacks (namely, 'Through which process did a malware program infiltrate the system'). Process Coloring enables three useful malware defense capabilities: (1) color-based malware detection, (2) color-based malware break-in point identification, and (3) color- based log partitioning. Implemented on top of a virtualization platform, Process Coloring achieves strong tamper-resistance as the logs generated by the protected (virtual) machine are stored and processed outside the machine under attack. Finally, Process Coloring can be integrated with techniques that track information flows inside a program. The resultant integrated system achieves better malware detection accuracy by eliminating false positive alerts, especially for client-side environments. This report gives an overview of the Process Coloring project and presents the design, implementation, and evaluation highlights in the research effort.