Attribution Of Malicious Behavior

Internet-connected computer systems face ongoing software attacks. Existing defensive solutions, such as intrusion detection systems, rely on the ability to identify malicious software (malware) in order to prevent its installation. This approach remains imperfect, resulting in widespread, persistent malware infections, malicious execution, and transmission of undesirable Internet traffic. Over the past several years, we have begun to develop solutions that help computer systems automatically recover from unknown malicious software infections by identifying and disabling the software. Our work departs from previous malware analysis because it employs strict post-infection analysis matching real-world environments: it assumes that security monitoring does not exist during the critical malware installation time and identifies potentially malicious software infecting a system given only observations of the infected system's execution. This paper reports on our progress attributing undesirable network behavior to malicious code and highlights upcoming research challenges we expect to face as we begin to automatically excise that code from infected systems.