Article

Hunting Trojan Horses

Authors:

Qin ZhaoAuthors Info & Claims

ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability

Pages 12 - 17

https://doi.org/10.1145/1181309.1181312

Published: 21 October 2006 Publication History

Abstract

HTH (Hunting Trojan Horses) is a security framework developed for detecting difficult types of intrusions. HTH is intended as a complement to anti-virus software in that it targets unknown and zero-day Trojan Horses and Backdoors. In order to accurately identify these types of attacks HTH utilizes runtime information available during execution. The information collected includes fine-grained information flow, program execution flow and resources used.In this paper we present Harrier, an Application Security Monitor at the heart of our HTH framework. Harrier is an efficient run-time monitor that dynamically collects execution-related data. Harrier is capable of collecting information across different abstraction levels including architectural, system and library APIs. To date, Harrier is 3-4 times faster than comparable information flow tracking systems.Using the collected information, Harrier allows for accurate identification of abnormal program behavior. Preliminary results show a good detection rate with a low rate of false positives.

References

[1]

Y. Beres and C. I. Dalton. Dynamic label binding at run-time. In NSPW '03: Proceedings of the 2003 workshop on New security paradigms, pages 39--46, New York, NY, USA, 2003. ACM Press.

Digital Library

[2]

Derek Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. PhD thesis, Massachusetts Institute of Technology, 2004.

Digital Library

[3]

W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In Proc. 11th IEEE International Symposium on Computers and Communications. IEEE, Jun. 2006.

Digital Library

[4]

D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236--243, 1976.

Digital Library

[5]

G. Edjlali, A. Acharya, and V. Chaudhary. History-based access control for mobile code. In CCS'98: Proceedings of the 5th ACM conference on Computer and communications security, pages 38--48, 1998.

Digital Library

[6]

D. Gao, M. K. Reiter, and D. Song. On gray-box program tracking for anomaly detection. In Proceedings of the 13th USENIX Security Symposium, pages 103--118, San Diego, CA, USA, Aug. 9--13 2004.

Digital Library

[7]

I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications (confining the wily hacker). In Proceedings of the 6th Usenix Security Symposium, San Jose, CA, USA, 1996.

Digital Library

[8]

S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 1998.

[9]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Security '02: Proceeding of the 11th USENIX Security Symposium, San Francisco, August 2002.

Digital Library

[10]

C. Ko, T. Fraser, L. Badger, and D. Kilpatrick. Detecting and countering system intrusions using software wrappers. In Proceedings of the USENIX Security Conference, pages 145--156, Jan. 2000.

Digital Library

[11]

A. P. Kosoresow and S. A. Hofmeyr. Intrusion detection via system call traces. IEEE Softw., 14(5):35--42, 1997.

Digital Library

[12]

C. K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instruentation. In Programming Language Design and Implementation (PLDI), Jun. 2005. Chicago, IL.

Digital Library

[13]

A. C. Myers. Jflow: practical mostly-static information flow control. In POPL '99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 228--241, New York, NY, USA, 1999. ACM Press.

Digital Library

[14]

N. Nethercote and J. Seward. Valgrind: A program supervision framework. In Electronic Notes in Theoretical Computer Science, volume 89, pages 1--23. Elsevier, 2003.

[15]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In The 12th Annual Network and Distributed System Security Symposium, Feb. 3-4, San Diego, CA, USA, 2005.

[16]

perldoc.perl.org. Perl 5.8.7 documentation, perlsecperl security. http://perldoc.perl.org/perlsec.html.

[17]

Bruce Schneier. Attack trends 2004 and 2005. In ACM Queue vol. 3, no. 5. ACM, Jun. 2005. http://acmqueue.com/.

Digital Library

[18]

K. Scott and J. Davidson. Safe virtual execution using software dynamic translation. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, page 209, Washington, DC, USA, 2002. IEEE Computer Society.

Digital Library

[19]

J. Seward and N. Nethercote. Using valgrind to detect undefined value errors with bit-precision. In USENIX 2005 Annual Technical Conference, pages 17--30, Apr. 10--15, Anaheim, CA, USA, 2005.

Digital Library

[20]

Symantec. Symantec security response. http://securityresponse.symantec.com/avcenter/, 2004--2005.

[21]

Symantec. Symantec internet security threat report, trends for january 05 - june 05, 2005.

[22]

N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. Rifle: An architectural framework for user-centric information-flow security. In MICRO 37: Proceedings of the 37th annual International Symposium on Microarchitecture, pages 243--254, Washington, DC, USA, 2004. IEEE Computer Society.

Digital Library

[23]

D. Wagner and D. Dean. Intrusion detection via static analysis. In SP '01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 156, Washington, DC, USA, 2001. IEEE Computer Society.

Digital Library

[24]

C. Warrender, S. Forrest, and B. A. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, pages 133--145, 1999.

Cited By

Abu-Zaideh SSnober MAl-Haija Q(2022)Smart Boosted Model for Behavior-Based Malware Analysis and DetectionIoT Based Control Networks and Intelligent Systems10.1007/978-981-19-5845-8_58(803-813)Online publication date: 12-Oct-2022
https://doi.org/10.1007/978-981-19-5845-8_58
Hammad MEl-medany WIsmail Y(2020)Intrusion Detection System using Feature Selection With Clustering and Classification Machine Learning Algorithms on the UNSW-NB15 dataset2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT)10.1109/3ICT51146.2020.9312002(1-6)Online publication date: 20-Dec-2020
https://doi.org/10.1109/3ICT51146.2020.9312002
Geigel A(2018)Neural network TrojanJournal of Computer Security10.5555/2590614.259061521:2(191-232)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.5555/2590614.2590615
Show More Cited By

Hunting Trojan Horses
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Rogue programs: viruses, worms and Trojan horses
Viruses, Worms, and Trojan Horses: Serious Crimes, Nuisance, or Both?

This study examines the functionality and propagation patterns of computer viruses, worms, and Trojan horses detected during a 12-month period beginning on January 1, 2004. Using data obtained from threat reports prepared by a major vendor of computer ...
Hunting for undetectable metamorphic viruses

Commercial anti-virus scanners are generally signature based, that is, they scan for known patterns to determine whether a file is infected. To evade signature-based detection, virus writers have employed code obfuscation techniques to create ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability

October 2006

76 pages

ISBN:1595935762

DOI:10.1145/1181309

Moderator:
Josep Torrellas
University of Illinois

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ASPLOS06

ASPLOS06: Architectural Support for Programming Languages and Operating Systems

October 21, 2006

California, San Jose

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
1,107
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abu-Zaideh SSnober MAl-Haija Q(2022)Smart Boosted Model for Behavior-Based Malware Analysis and DetectionIoT Based Control Networks and Intelligent Systems10.1007/978-981-19-5845-8_58(803-813)Online publication date: 12-Oct-2022
https://doi.org/10.1007/978-981-19-5845-8_58
Hammad MEl-medany WIsmail Y(2020)Intrusion Detection System using Feature Selection With Clustering and Classification Machine Learning Algorithms on the UNSW-NB15 dataset2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT)10.1109/3ICT51146.2020.9312002(1-6)Online publication date: 20-Dec-2020
https://doi.org/10.1109/3ICT51146.2020.9312002
Geigel A(2018)Neural network TrojanJournal of Computer Security10.5555/2590614.259061521:2(191-232)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.5555/2590614.2590615
Dan Lo CPablo OCarlos C(2016)Towards an effective and efficient malware detection system2016 IEEE International Conference on Big Data (Big Data)10.1109/BigData.2016.7841031(3648-3655)Online publication date: Dec-2016
https://doi.org/10.1109/BigData.2016.7841031
Cepeda CChia Tien DOrdóñez P(2016)Feature Selection and Improving Classification Performance for Malware Detection2016 IEEE International Conferences on Big Data and Cloud Computing (BDCloud), Social Computing and Networking (SocialCom), Sustainable Computing and Communications (SustainCom) (BDCloud-SocialCom-SustainCom)10.1109/BDCloud-SocialCom-SustainCom.2016.87(560-566)Online publication date: Oct-2016
https://doi.org/10.1109/BDCloud-SocialCom-SustainCom.2016.87
Yu JZhang SLiu PLi ZSandhu RBertino E(2011)LeakProberProceedings of the first ACM conference on Data and application security and privacy10.1145/1943513.1943525(75-84)Online publication date: 21-Feb-2011
https://dl.acm.org/doi/10.1145/1943513.1943525
Gao HWang YWang LLiu LLi JCheng X(2011)Trojan characteristics analysis based on Stochastic Petri NetsProceedings of 2011 IEEE International Conference on Intelligence and Security Informatics10.1109/ISI.2011.5984084(213-215)Online publication date: Jul-2011
https://doi.org/10.1109/ISI.2011.5984084
Li YYan J(2011)ELF-Based Computer Virus Prevention TechnologiesInformation Computing and Applications10.1007/978-3-642-27452-7_84(621-628)Online publication date: 2011
https://doi.org/10.1007/978-3-642-27452-7_84
Liu YZhang LLiang JQu SNi Z(2010)Detecting Trojan horses based on system behavior using machine learning method2010 International Conference on Machine Learning and Cybernetics10.1109/ICMLC.2010.5580591(855-860)Online publication date: Jul-2010
https://doi.org/10.1109/ICMLC.2010.5580591
Jensen J(2008)A Novel Testbed for Detection of Malicious Software FunctionalityProceedings of the 2008 Third International Conference on Availability, Reliability and Security10.1109/ARES.2008.113(292-301)Online publication date: 4-Mar-2008
https://dl.acm.org/doi/10.1109/ARES.2008.113
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten