Bacterial quorum sensing for coordination of targeted malware

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE) Pub Date : 2014-10-01 DOI:10.1109/MALWARE.2014.6999405

Mark E. Fioravanti, R. Ford

{"title":"Bacterial quorum sensing for coordination of targeted malware","authors":"Mark E. Fioravanti, R. Ford","doi":"10.1109/MALWARE.2014.6999405","DOIUrl":null,"url":null,"abstract":"Bacterial Quorum Sensing is a process that bacteria use to determine their local population density. Based on this determination, individual bacterial cells may alter their survival strategies to those strategies which benefit the cell the most [1, 5, 12]. For example, bacteria utilize quorum sensing to determine if the cell would benefit more from either asocial or social strategies. Alone, a single cell is vulnerable, but in a community they represent a threat capable of overwhelming a host's immune system. Most importantly, most quorum sensing approaches use commonly-encountered chemicals for sensing; due to their ubiquity, these quorum signals do not become useful for determining if an object is a bacterium; rather, they speak to the local population density. Similarly, malware has demonstrated a variety of techniques to communicate and to evade detection, and like bacteria, survival strategies can also depend on population density. As such, malware could utilize the bacterial quorum sensing system as a method of communication which has the potential to allow targeted malware to communicate and coordinate activities. Furthermore, inspired by bacterial quorum sensing, malware could use signals that are already common in the computing environment in a way that does not provide actionable remediation intelligence to network defenders. Thus, the use of a bacterial quorum sensing mechanism instead of another distributed algorithm allows the malware to leverage self-organizing properties that are based to the number of infected hosts on a network without exposing individually infected hosts to targeted remediation. This paper demonstrates and implements a digital version of the quorum sensing system through a timing covert channel [9], and uses statistical tests to determine if a signal is present. We argue that just as for bacteria, the digital quorum sensing signal is not useful for determining if a particular host is infected; as such, it is an attractive choice for malware authors.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2014.6999405","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Bacterial Quorum Sensing is a process that bacteria use to determine their local population density. Based on this determination, individual bacterial cells may alter their survival strategies to those strategies which benefit the cell the most [1, 5, 12]. For example, bacteria utilize quorum sensing to determine if the cell would benefit more from either asocial or social strategies. Alone, a single cell is vulnerable, but in a community they represent a threat capable of overwhelming a host's immune system. Most importantly, most quorum sensing approaches use commonly-encountered chemicals for sensing; due to their ubiquity, these quorum signals do not become useful for determining if an object is a bacterium; rather, they speak to the local population density. Similarly, malware has demonstrated a variety of techniques to communicate and to evade detection, and like bacteria, survival strategies can also depend on population density. As such, malware could utilize the bacterial quorum sensing system as a method of communication which has the potential to allow targeted malware to communicate and coordinate activities. Furthermore, inspired by bacterial quorum sensing, malware could use signals that are already common in the computing environment in a way that does not provide actionable remediation intelligence to network defenders. Thus, the use of a bacterial quorum sensing mechanism instead of another distributed algorithm allows the malware to leverage self-organizing properties that are based to the number of infected hosts on a network without exposing individually infected hosts to targeted remediation. This paper demonstrates and implements a digital version of the quorum sensing system through a timing covert channel [9], and uses statistical tests to determine if a signal is present. We argue that just as for bacteria, the digital quorum sensing signal is not useful for determining if a particular host is infected; as such, it is an attractive choice for malware authors.

查看原文本刊更多论文

细菌群体感应用于协调目标恶意软件

细菌群体感应是细菌用来确定其本地种群密度的一种过程。基于这一决定，单个细菌细胞可能会改变它们的生存策略，以那些对细胞最有利的策略[1,5,12]。例如，细菌利用群体感应来确定细胞是否会从非社交策略或社交策略中获益更多。单独的单个细胞是脆弱的，但在一个群体中，它们代表着一种能够压倒宿主免疫系统的威胁。最重要的是，大多数群体感应方法使用常见的化学物质进行感应;由于它们的普遍存在，这些群体信号对于确定一个物体是否是细菌并不有用;相反，它们反映了当地的人口密度。同样，恶意软件已经展示了各种各样的通信和逃避检测的技术，就像细菌一样，生存策略也取决于人口密度。因此，恶意软件可以利用细菌群体感应系统作为一种通信方法，这种方法有可能允许目标恶意软件进行通信和协调活动。此外，受细菌群体感应的启发，恶意软件可以使用在计算环境中已经常见的信号，以一种无法向网络防御者提供可操作的补救情报的方式。因此，使用细菌群体感应机制而不是另一种分布式算法允许恶意软件利用基于网络上受感染主机数量的自组织属性，而不会将单个受感染主机暴露于有针对性的修复中。本文通过定时隐蔽通道[9]演示并实现了群体感应系统的数字版本，并使用统计测试来确定是否存在信号。我们认为，就像细菌一样，数字群体感应信号对于确定特定宿主是否被感染是无用的;因此，它对恶意软件作者来说是一个有吸引力的选择。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)

自引率

0.00%

发文量