Summaries - Research
Back Methods of Finding Malicious Files by Cross-Drive Forensic Comparison of Times
|Division||Research & Sponsored Programs|
|Department||Naval Research Program|
|Investigator(s)||Rowe, Neil C.|
|Sponsor||NPS Naval Research Program (Navy)|
Cross-drive comparison of metadata on a corpus of drives enables us to see time patterns in software and configuration-file updates using just the most-recent access, modification, and creation times recorded. When anomalies to such patterns are found, they may suggest potential malware activity since most files in cyberspace are associated with software, and software updates are initiated by the vendor and occur within a time period of a week following geometric distributions. Using a large corpus and knowledge of what files are known to be malicious, we will try to answer the following questions:
- How anomalous are the times associated with malicious files?
- Which are the most helpful between creation, modification, and access times?
- How often do geometric distributions or periodic processes provide a good model for normal software updates?
- How well can we distinguish user-initiated copying from software updates?
- Can measures of anomalousness of the times be usefully supplemented by measures of the anomalousness of the location (as when windows updates are placed at the top level of the directory hierarchy rather than in their proper subdirectories) or file path (as when odd characters or double extensions are used to obfuscate malware)?
The goal is to provide new clues far defending Navy information systems of all types against zero-day attacks. Navy information systems are critical infrastructure, and require a more thorough approach to defense than most civilian cyberspace does.
|Publications||Publications, theses (not shown) and data repositories will be added to the portal record when information is available in FAIRS and brought back to the portal|