jha-security

A malware detector tries to determine whether a program is malicious (examples of malicious programs are drive-by-downloads, botnets, and keyloggers). Malware detection is primarily performed at two vantage points: host and network. This post explains why cooperation between host-based and network- based detectors is a good thing. Traditionally, detection has been performed either at the network or host level, but not both. First, let me examine both approaches separately. A network-based detector monitors events by examining a session or network flow and tries to determine whether it is malicious. The advantage of a network-based detector is ease of deployment -- there are not that many points of deployment for a network-based detector (typically they are deployed behind border routers). Unfortunately, network-based detectors have a limited view of each network session. In fact, if a session happens to be encrypted such as is common with VPNs, Skype, and some bots, a network-based de...

Why kernel-level detection? These are my thoughts on why malware detection should performed at the kernel level. In general, the lower in the system hierarchy your detector resides, the harder it is for an attacker to evade your detector. For example, if a detector uses system-call interposition, an attacker can evade this system by directly using kernel calls. For example, system-call interposition can be done on Windows using the following package . In my conversations with a guy from NSA (name withheld for obvious reasons:-)) he confirmed that new malware they are observing in their lab are using kernel calls directly. Also, look at the following article The semantic-gap problem: A natural question that comes to mind is: why not perform detection at even a lower layer in the heirarchy? Say the VM layer or even better at hardware. As you move down in the system hierarchy, you lose some high-level semantics. Let me explain. Lets say you are doing detection at the VM layer. A high-leve...