The Community for Technology Leaders
RSS Icon
Issue No.01 - Jan.-Feb. (2013 vol.10)
pp: 40-52
Stefano Ortolani , Vrije Universiteit Amsterdam, Amsterdam
Cristiano Giuffrida , Vrije Universiteit Amsterdam, Amsterdam
Bruno Crispo , University of Trento, Trento
Software keyloggers are a fast growing class of invasive software often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes typed by the users of a system. The ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows one to understand and model their behavior in detail. Leveraging this characteristic, we propose a new detection technique that simulates carefully crafted keystroke sequences in input and observes the behavior of the keylogger in output to unambiguously identify it among all the running processes. We have prototyped our technique as an unprivileged application, hence matching the same ease of deployment of a keylogger executing in unprivileged mode. We have successfully evaluated the underlying technique against the most common free keyloggers. This confirms the viability of our approach in practical scenarios. We have also devised potential evasion techniques that may be adopted to circumvent our approach and proposed a heuristic to strengthen the effectiveness of our solution against more elaborated attacks. Extensive experimental results confirm that our technique is robust to both false positives and false negatives in realistic settings.
Monitoring, Kernel, Keyboards, Correlation, Robustness, PCC, Invasive software, keylogger, security, black-box
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo, "Unprivileged Black-Box Detection of User-Space Keyloggers", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 1, pp. 40-52, Jan.-Feb. 2013, doi:10.1109/TDSC.2012.76
[1] T. Holz, M. Engelberth, and F. Freiling, "Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones," Proc. 14th European Symp. Research in Computer Security, pp. 1-18, 2009.
[2] San Jose Mercury News, "Kinkois Spyware Case Highlights Risk of Public Internet Terminals," news6359407.htm, 2012.
[3] N. Strahija, "Student Charged After College Computers Hacked," http://www.xatrix.orgarticle2641.html, 2012.
[4] N. Grebennikov, "Keyloggers: How They Work and How to Detect Them," pubid=204791931 , 2012.
[5] Security Technology Ltd., "Testing and Reviews of Keyloggers, Monitoring Products and Spyware," http:/www.keylogger. org, 2012.
[6] L. Zhuang, F. Zhou, and J.D. Tygar, "Keyboard Acoustic Emanations Revisited," ACM Trans. Information and System Security, vol. 13, no. 1, pp. 1-26, 2009.
[7] M. Vuagnoux and S. Pasini, "Compromising Electromagnetic Emanations of Wired and Wireless Keyboards," Proc. 18th USENIX Security Symp., pp. 1-16, 2009.
[8] J. Rutkowska, "Subverting Vista Kernel for Fun and Profit," Black Hat Briefings, vol. 5, 2007.
[9] J.L. Rodgers and W.A. Nicewander, "Thirteen Ways to Look at the Correlation Coefficient," The Am. Statistician, vol. 42, no. 1, pp. 59-66, Feb. 1988.
[10] J. Benesty, J. Chen, and Y. Huang, "On the Importance of the Pearson Correlation Coefficient in Noise Reduction," IEEE Trans. Audio, Speech, and Language Processing, vol. 16, no. 4, pp. 757-765, May 2008.
[11] L. Goodwin and N. Leech, "Understanding Correlation: Factors that Affect the Size of r," Experimental Education, vol. 74, no. 3, pp. 249-266, 2006.
[12] J. Aldrich, "Correlations Genuine and Spurious in Pearson and Yule," Statistical Science, vol. 10, no. 4, pp. 364-376, 1995.
[13] W. Hsu and A. Smith, "Characteristics of I/O Traffic in Personal Computer and Server Workloads," IBM System J., vol. 42, no. 2, pp. 347-372, 2003.
[14] H.W. Kuhn, "The Hungarian Method for the Assignment Problem," Naval Research Logistics Quarterly, vol. 2, pp. 83-97, 1955.
[15] G. Kochenberger, F. Glover, and B. Alidaee, "An Effective Approach for Solving the Binary Assignment Problem with Side Constraints," Information Technology and Decision Making, vol. 1, pp. 121-129, May 2002.
[16] BAPCO, "SYSmark 2004 SE," http:/, 2012.
[17] A. Moser, C. Kruegel, and E. Kirda, "Exploring Multiple Execution Paths for Malware Analysis," Proc. IEEE 28th Symp. Security and Privacy, pp. 231-245, May 2007.
[18] S. Ortolani and B. Crispo, "Noisykey: Tolerating Keyloggers via Keystrokes Hiding," Proc. Seventh USENIX Workshop Hot Topics in Security, 2012.
[19] H. Sakoe and S. Chiba, Readings in Speech Recognition, A. Waibel and K.-F. Lee, eds. Morgan Kaufmann Publishers, Inc., 1990.
[20] S. Ortolani, C. Giuffrida, and B. Crispo, "Klimax: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware," Proc. 14th Int'l Symp. Recent Advances in Intrusion Detection, pp. 81-100, 2011.
[21] E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer, "Behavior-Based Spyware Detection," Proc. 15th USENIX Security Symp., pp. 273-288, 2006.
[22] M. Aslam, R. Idrees, M. Baig, and M. Arshad, "Anti-Hook Shield against the Software Key Loggers," Proc. Nat'l Conf. Emerging Technologies, pp. 189-191, 2004.
[23] M. Xu, B. Salami, and C. Obimbo, "How to Protect Personal Information Against Keyloggers," Proc. Ninth Int'l Conf. Internet and Multimedia Systems and Applications, 2005.
[24] Y. Al-Hammadi and U. Aickelin, "Detecting Bots Based on Keylogging Activities," Proc. Third Int'l Conf. Availability, Reliability and Security, pp. 896-902, 2008.
[25] J. Han, J. Kwon, and H. Lee, "Honeyid: Unveiling Hidden Spywares by Generating Bogus Events," Proc. IFIP 23rd Int'l Information Security Conf., pp. 669-673, 2008.
[26] D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin, "Automatically Identifying Trigger-Based Behavior in Malware," Advances in Information Security, vol. 36, pp. 65-88, 2008.
29 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool