1 / 24

Bait your Hook A Novel Detection Technique for Keyloggers

Bait your Hook A Novel Detection Technique for Keyloggers. Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep. OUTLINE. Introduction Our Approach Architecture Evaluation Conclusion. Introduction – threat?. Malware with keylogging functionalities.

apria
Download Presentation

Bait your Hook A Novel Detection Technique for Keyloggers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bait your HookA Novel Detection Technique for Keyloggers Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep.

  2. OUTLINE • Introduction • Our Approach • Architecture • Evaluation • Conclusion

  3. Introduction – threat? • Malware with keylogging functionalities

  4. Introduction – threat?

  5. Introduction - Keylogger • Win32 API • GetKeyState() • GetAsyncKeyState() • SetWindowsHookEx() • X 11 • gdk_window_add_filter() Source: http://www.securityfocus.org - 2007

  6. Countermeasure • Anti-keylogging software • Signature-based • APIs tracing and detection • Virtual keyboard • One-time password

  7. Countermeasure(cont.) • An ideal approach should be: • Unprivileged • Reliable • Portable • Many keyloggers, one behavior

  8. Our approach • The correlation between keystroke events and I/O activity • Bait your Hook! • Inject keystrokes • Record the bytes output

  9. Architecture The prototype's architecture divided in components and domains.

  10. Injector • Inject the input stream • Mimicking the behavior of a simulated user • Rely on unprivileged API calls • Win32: SendInput • X11: XTestFakeKeyEvent • The resulting keystroke events should: • No different than keystroke generated by a user at the keyboard

  11. Monitor • Application-level statistics of I/O activities • Rely on unprivileged performance counter • Win32: WriteTransferCount • Total number of bytes the process wrote since its creation • Linux: Analogous performance counter • Minimal overhead

  12. Pattern Translator • Transform an AKP(Abstract Keystroke Pattern) into a stream and viceversa • A pattern P is a set of samples Pi • Each sample Pi is the normalized amount of data measured at the time interval i • The normalization scales all the samples within the range [0,1]

  13. Pattern Translator(cont.) • N - the number of samples in the pattern. • T - the constant time interval between any two successive samples. • Kmin - the minimum predefined number of keystrokes per sample allowed. • Kmax - the maximum predefined number of keystrokes per sample allowed. • Ri – the average keystroke rate

  14. Detector • Infer a cause-effect relationship between input/output AKP form • Operates on a single process at a time • Calculate PCC(Pearson correlation coefficient)

  15. Detector(cont.) • Linearity: scale and location invariant. • PCC(P,Q) = PCC(a + P*c,Q) • Immune to data normalization such as encryption or ignored keystrokes. • Buffering? • Focus-based buffering • Time-based buffering

  16. Pattern Generator • It must NOT resemble any pattern exhibited by legitimate processes. • It must be easily identifiable in the output. • SYSmark 2004 SE suite

  17. Pattern Generator(alg.) • Random • random within the range [0,1] • Random Fixed Range • random permutation of uniformly distributed samples • Sine Wave • discrete sine wave oscillating between 0 and 1 • Impulse • pattern composed of alternated 0 and 1. • Workload Aware • maximally uncorrelated to the actual workload

  18. Parameters • How the AKP’s parameters influence the PCC? • A proof-of-concept keylogger

  19. Parameters(cont.) • Time interval

  20. False Negatives • Effect of random padding

  21. False Positives • Workload generated by the “Office” suite

  22. Result • Detection results for the keyloggers used in the evaluation. • PCC's threshold set to 0.80 • New threshold and parameters • Pattern=RFR, PCC=0.6, N=60, T=1000, Kmin=1, Kmax=50 Top monitoring free software list - http://www.keylogger.org

  23. Limitation • A Keylogger actively performing I/O activities • Higher inject rates? • Aggressive buffering • Monitor the memory accesses (privileged API)

  24. Conclusion • An unprivileged approach for keyloggers. • Effective against real keyloggers in a realistic scenario. • The proposed architecture is OS independent. • The resulting tool (GPL licensed) will be soon made public.

More Related