Artificial Malware Immunization Based on Dynamically Assigned Sense of Self

Computer malwares (e.g., botnets, rootkits, spware) are one of the most serious threats to all computers and networks. Most malwares conduct their malicious actions via hijacking the control flow of the infected system or program. Therefore, it is critically important to protect our mission critical systems from malicious control flows. Inspired by the self-nonself discrimination in natural immune system, this research explores a new direction in building the artificial malware immune systems. Most existing models of self of the protected program or system are passive reflection of the existing being (e.g., system call sequence) of the protected program or system. Instead of passively reflecting the existing being of the protected program, we actively assign a unique mark to the protected program or system. Such a dynamically assigned unique mark forms dynamically assigned sense of self of the protected program or system that enables us to effectively and efficiently distinguish the unmarked nonself (e.g., malware actions) from marked self with no false positive. Since our artificial malware immunization technique does not require any specific knowledge of the malwares, it can be effective against new and previously unknown malwares. We have implemented a proof-of-concept prototype of our artificial malware immunization based on such dynamically assigned sense of self in Linux, and our automatic malware immunization tool has successfully immunized real-world, unpatched, vulnerable applications (e.g., Snort 2.6.1 with over 140,000 lines C code) against otherwise working exploits. In addition, our artificial malware immunization is effective against return-to-libc attacks and recently discovered returnoriented exploits. The overall run time performance overhead of our artificial malware immunization prototype is no more than 4%.