本帖最后由 诸葛亮 于 2014-10-23 14:57 编辑
来自http://blog.avira.com/ites-proje ... em=ItesProject_link
Science @ Avira, the ITES project
By: Thorsten Sick in Technology August 27, 2014
Science projects help Avira shape its future – like the ITES Project. It started 2 years ago and will be completed by the end of the year. Here’s a sneak peek into the future of computer architecture…
science-avira
It is well known that classical computer architectures were not designed with security in mind. We intend to change that. The ITES project is creating a system purposefully built for high-security environments.
The current ITES system deploys verified compartments via Virtual Machines for different tasks. A compartment contains an operating system and the required programs (e.g. email client). Each compartment has restricted permissions that are unique. For example the browser compartment does not have access to the business plan, so if an exploited browser is running on a different OS than the email client, which has access to critical information, the impact of an attack is reduced.
Our goal in the ITES research project has been to extend the compartments system to identify hacked Virtual Machines and start countermeasures. We identify hacked machines by observing them with different sensors (user-space hooking, memory forensics and VMI – Virtual Machine Introspection).
After gathering information about the current situation in Virtual Machines, a central component will classify the state of the machines into ‘trustworthy’ or ‘suspicious’. Depending on the decision, the machine can be stopped, analyzed, repaired or restored from a snapshot.
The goal of a scientific project is to learn by building a „Demonstrator“ (an Alpha Prototype) – it is not to create a product. The operating system is split into several compartments with Antivirus (AV) technology and hypervisor sensors attached.
However, many of the pioneering technologies we developed to build Demonstrator are or will soon be integrated into our internal processes. One of our backend systems in the Virus Lab at Avira is now classifying samples for our customers based on this new technology.
Classification
Identifying malicious files is the Virus Lab’s first task when encountering unknown software.
Three methods are usually deployed to identify malicious code.
1. Static
This is Avira’s traditional forte and is how we’ve been identifying malicious code for years. Malware is, for example, identified by exact hash, fuzzy hash, byte patterns, structural generics, or by an AI while the engine complements the analysis by gathering behavioral patterns. It is not part of the ITES project.
2. Dynamic
Dynamic analysis monitors the behavior of malware. You can do it on the end-user’s system (behavior analysis performed by the AV software) or using specific analysis systems (e.g. Analysis Sandbox like Cuckoosandbox or our internal cloud-enabled Autodumper tool).
Depending on the type of the malware, we will have to monitor it in different ways. By monitoring the User-Space API, we are able to detect the Dropper of malware. Sensors in Kernel Space or below are required to identify rootkits. Kernel space sensors are drivers, and you get those with your AV software.
They will have a different (less detailed) point of view, but cannot be easily tricked by the malware in the User-Space API. Monitoring the OS from outside of the Virtual Machine is even better. One existing tool that does this is Volatility. It uses a memory snapshot of a real machine or a virtual machine and checks for anomalies in the OS data structures. As a part of the ITES project, we integrated Volatility into a Cuckoo Sandbox and use it as a second sensor.
A disadvantage of Volatility is that it only uses a snapshot, so it is possible to observe the effects of the infection, but not the process of the system being infected. Additionally User-Space events are not observed at an acceptable level of quality.
Virtual Machine Introspection (VMI) takes this approach to the next level and is currently being researched by the RUB (Ruhr University Bochum) & IFIS (Institute For Internet Security) as part of the ITES project. By monitoring the system through the hypervisor we could achieve a similar perspective as with Volatility, but without having to create snapshots. Soon we will know what granularity of data will be possible.
3. Reputation
Having a cloud service and large databases on our backend servers, it is possible to identify specific spread patterns that are typical for malware. Suspicious patterns can be defined by scripts. Rules might look like
If a user is running a sample, which has not been seen by the cloud yet, and is strangely packed: trigger a warning
If a computer executed an unknown file, after the user visited a suspiscious page on a freehoster, and the computer is running an outdated PDF reader program: trigger a warning
You get the idea. The ITES project does not cover this area.
There will be more blog posts covering the details soon.
TL;DR
Avira is investing into scientific research to deliver superior protection to our customers.
For Science,
Thorsten Sick
有道翻译:科学@小红伞,综合项目
:2014年8月27日,托尔斯滕生病在技术
科学的项目帮助Avira塑造其未来——就像综合项目。2年前开始,将在今年年底完成。这里有先睹为快的未来计算机体系结构…
science-avira
众所周知,经典计算机体系结构设计时没有安全意识。我们打算改变这种状况。针对项目是创建一个系统有目的地建立高度安全的环境。
目前可通过虚拟机系统部署验证隔间为不同的任务。舱包含操作系统和所需的项目(如电子邮件客户端)。每个车厢都有权限限制,是独一无二的。例如浏览器间没有进入商业计划,所以如果一个利用浏览器上运行不同的操作系统的电子邮件客户端,获取关键信息,减少攻击的影响。
可
我们的目标在综合研究项目扩展隔间系统识别入侵虚拟机并开始对策。我们识别入侵机器通过观察不同的传感器(用户空间的连接,内存取证和VMI -虚拟机自省)。
后收集信息关于虚拟机的现状,一个中央组件将分类机器的状态为“值得信赖的”或“可疑”。根据决定,可以停止机器,分析修复或恢复快照。
科学的项目的目标是学习,通过建立„示威者”(一个阿尔法原型)——它不是创建一个产品。操作系统被分为若干个隔间与防病毒管理程序(AV)技术和传感器连接。
然而,我们开发了许多开创性的技术构建演示或很快就会融入我们的内部流程。我们的一个后端系统的病毒实验室Avira现在分类样本基于这种新技术为我们的客户。
分类
识别恶意文件是病毒实验室的第一个任务,当遇到未知的软件。
三种方法通常是用来识别恶意代码。
1。静态
这是小红伞的传统强项,我们多年来一直识别恶意代码。恶意软件,例如,被确切的散列,模糊散列,字节模式,构造泛型,或由人工智能引擎补充收集行为模式的分析。这不是针对项目的一部分。
2。动态
动态分析监控恶意软件的行为。你可以在终端用户的系统(杀毒软件执行的行为分析)或使用特定的分析系统(如分析沙箱如Cuckoosandbox或内部应用云计算的自卸汽车工具)。
根据类型的恶意软件,我们会以不同的方式来监控它。通过监测用户空间API,我们能够检测恶意软件的滴管。传感器在内核空间或低于被要求识别rootkit。内核空间传感器驱动程序,你被你的杀毒软件。
他们将有一个不同的(详细的)的观点,但不能轻易欺骗的恶意软件在用户空间API。监控虚拟机的操作系统从外部就更好了。一个现有的工具,这是波动。它使用一个内存快照的一个真正的机器或一个虚拟机,检查操作系统异常的数据结构。作为一个综合项目的一部分,我们综合波动到布谷鸟沙箱和使用它作为第二传感器。
波动的缺点是,它只使用一个快照,所以有可能观察感染的影响,但不会被感染系统的过程。另外用户空间事件并没有观察到在一个可接受的水平的质量。
虚拟机内省(VMI)这种方法进入下一个阶段,目前正在研究的摩擦(鲁尔大学波鸿)&国际金融机构(网络安全)针对项目的一部分。通过监测系统通过hypervisor我们可以实现一个类似的观点与波动,但无需创建快照。我们很快就会知道什么粒度的数据将成为可能。
3。声誉
云服务和大型数据库后端服务器,它可以识别特定的传播模式,典型的恶意软件。可疑的模式可以定义的脚本。规则的样子
如果一个用户正在运行一个示例,它尚未被云,和奇怪的是包装:触发一个警告
如果计算机执行一个未知文件,用户访问后freehoster suspiscious页面,和计算机运行一个过时的PDF阅读器程序:触发一个警告
你懂的。针对项目不涉及这一领域。
将会有更多的博客很快覆盖的细节。
博士TL;
Avira投资为科学研究提供卓越的保护我们的客户。
科学,
托尔斯滕生病
意见与反馈翻译结果评分: 参加有道翻译用户满意度调查!
关注我们: 推荐应用 |
发表于 2014-10-23 14:56:15
楼主
发表于 2014-10-24 18:49:28
