Improving host-based computer security using secure active monitoring and memory analysis

dc.contributor.advisor Lee, Wenke
dc.contributor.author Payne, Bryan D. en_US
dc.contributor.committeeMember Basu, Sumit
dc.contributor.committeeMember Bobick, Aaron
dc.contributor.committeeMember Ellis, Dan
dc.contributor.committeeMember Isbell, Charles
dc.contributor.committeeMember Weinberg, Gil
dc.contributor.department Computing en_US
dc.date.accessioned 2010-09-15T19:11:56Z
dc.date.available 2010-09-15T19:11:56Z
dc.date.issued 2010-06-03 en_US
dc.description.abstract Thirty years ago, research in designing operating systems to defeat malicious software was very popular. The primary technique was to design and implement a small security kernel that could provide security assurances to the rest of the system. However, as operating systems grew in size throughout the 1980's and 1990's, research into security kernels slowly waned. From a security perspective, the story was bleak. Providing security to one of these large operating systems typically required running software within that operating system. This weak security foundation made it relatively easy for attackers to subvert the entire system without detection. The research presented in this thesis aims to reimagine how we design and deploy computer systems. We show that through careful use of virtualization technology, one can effectively isolate the security critical components in a system from malicious software. Furthermore, we can control this isolation to allow the security software a complete view to monitor the running system. This view includes all of the necessary information for implementing useful security applications including the system memory, storage, hardware events, and network traffic. In addition, we show how to perform both passive and active monitoring securely, using this new system architecture. Security applications must be redesigned to work within this new monitoring architecture. The data acquired through our monitoring is typically very low-level and difficult to use directly. In this thesis, we describe work that helps bridge this semantic gap by locating data structures within the memory of a running virtual machine. We also describe work that shows a useful and novel security framework made possible through this new monitoring architecture. This framework correlates human interaction with the system to distinguish legitimate and malicious outgoing network traffic. en_US
dc.description.degree Ph.D. en_US
dc.identifier.uri http://hdl.handle.net/1853/34852
dc.publisher Georgia Institute of Technology en_US
dc.subject Memory analysis en_US
dc.subject Introspection en_US
dc.subject Virtualization en_US
dc.subject Security en_US
dc.subject Active monitoring en_US
dc.subject User intent en_US
dc.subject.lcsh Computer networks Security measures
dc.subject.lcsh Computer security
dc.subject.lcsh Intrusion detection systems (Computer security)
dc.title Improving host-based computer security using secure active monitoring and memory analysis en_US
dc.type Text
dc.type.genre Dissertation
dspace.entity.type Publication
local.contributor.advisor Lee, Wenke
local.contributor.corporatename College of Computing
local.contributor.corporatename School of Computer Science
relation.isAdvisorOfPublication c2f2a105-702f-45e4-a8a3-4ca5eb3d0eec
relation.isOrgUnitOfPublication c8892b3c-8db6-4b7b-a33a-1b67f7db2021
relation.isOrgUnitOfPublication 6b42174a-e0e1-40e3-a581-47bed0470a1e
Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
1.44 MB
Adobe Portable Document Format