New Proactive Approach Unveiled to Detect Malicious Software in Networked Computers and Data

by Lynn A. Nystrom, Virginia Tech News 

Cybercrime comes in all forms these days. One recent headline told of the creepware or silent computer snooping that resulted in the arrest of some 90 people in 19 countries. Miss Teen USA was among the victims. Her computer had been turned into a camera and used to spy on her in her own bedroom.

On the commercial front, Target suffered the largest retail hack in U.S. history during the Christmas shopping season of 2013, and now the Fortune 500 company’s outlook is bleak with steep drops in profits.

 To combat spyware  Virginia Institute of Technology researchers say they have found the causal relations among computer network events, a breakthrough that effectively isolates infected computer hosts and detects in advance malicious software.

The researchers used causal relations to determine whether or not network activities have justifiable and legitimate causes to occur. “This type of semantic reasoning is new and very powerful,” says Virginia Tech professor Danfeng Yao, who led the research effort, which also included Virginia Tech professor Naren Ramakrishnan and graduate student Hao Zhang. “The true significance of this security approach is its potential proactive defense capability,” Yao says.

“Conventional security systems scan for known attack patterns, which is reactive. Our anomaly detection based on enforcing benign properties in network traffic is a clear departure from that.” The research was funded by a $530,000 U.S. National Science Foundation CAREER Award to develop software that differentiates human-computer interaction from malware. Yao also received a three-year, $450,000 U.S. Office of Naval Research grant to quantitatively detect anomalies in Department of Defense computers, mobile devices, command-and-control servers, and embedded systems deployed on U.S. Navy ships. Yao will present the research this month at the ACM Symposium on Information, Computer and Communications Security in Kyoto, Japan.   Article

DCL: Causal relationships between events is a cornerstone of CEP. It has been used in many different detection systems in the past. This particular application is interesting in that it is based on the rather obvious premiss that if a computer starts doing things that do not have any  obvious cause then something is wrong with that machine. The tricky part is to define the concept of “justifiable and legitimate causes” of an action by a computer. This apparently  depends upon “a novel and fine-grained input-traffic correlation analysis that has not been previously applied across a host?s network stack, kernel modules, and input devices.”  Such analysis may be open to false positives leading to machines being labelled as “infected’ that in fact are not infected.  Hopefully this research will provide experimental results.