Communications of the ACM
IEEE Spectrum
Programming Applications for Microsoft Windows with Cdrom
Programming Applications for Microsoft Windows with Cdrom
MORPHEUS: motif oriented representations to purge hostile events from unlabeled sequences
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Probabilistic suffix models for API sequence analysis of Windows XP applications
Pattern Recognition
Hi-index | 0.00 |
Mobile code---executable programs that get copied from computer-to-computer via e-mail, web browsers, etc.---is a popular way to stage malicious attacks against users. The Windows operating system is often the target of such attacks, in part because of its ubiquity and in part because of the vast functionality it provides. Some of this functionality, like executable e-mail attachments and scripting, provides opportunity for mobile code to cause significant damage to a host system. One obvious solution is to disable such features in Windows. However, many users find such features a convenient and productive way to conduct their business. Thus, techniques that can protect against mobile code without sacrificing functionality are needed.But even disabling functionality such as scripting will not provide complete security; it only catches the most sophomoric exploits. All operating systems, including Windows, are vulnerable to malicious use at their lowest level of operation: executing compiled code. Mobile programs, just like local programs, can access operating system components in ways that damage a users' data or render their computer useless. These programs can be written in system-level languages such as C and assembly, which are capable of compiling OS components directly into their binaries and writing directly to interrupt vectors. Disabling such functionality will mean an operating system that simply doesn't work.This paper investigates techniques to protect Windows-based systems from malicious mobile code while minimizing functionality loss. Our solution involves writing a layer of protective code that is able to detect mobile code running on a system and then monitors its behavior. Behaviors deemed benign are allowed to execute; behaviors deemed malicious are either shutdown, quarantined or logged (so that restoration procedures can be constructed). We describe new techniques for identifying. monitoring and neutralizing malicious mobile code. We demonstrate the techniques by testing our "vaccine" against a number of the most notorious Windows viruses and worms. Further, we demonstrate how our solution maintains functionality while minimizing false positives during execution of benign programs.