This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Unprivileged Black-Box Detection of User-Space Keyloggers
Jan.-Feb. 2013 (vol. 10 no. 1)
pp. 40-52
Stefano Ortolani, Vrije Universiteit Amsterdam, Amsterdam
Cristiano Giuffrida, Vrije Universiteit Amsterdam, Amsterdam
Bruno Crispo, University of Trento, Trento
Software keyloggers are a fast growing class of invasive software often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes typed by the users of a system. The ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows one to understand and model their behavior in detail. Leveraging this characteristic, we propose a new detection technique that simulates carefully crafted keystroke sequences in input and observes the behavior of the keylogger in output to unambiguously identify it among all the running processes. We have prototyped our technique as an unprivileged application, hence matching the same ease of deployment of a keylogger executing in unprivileged mode. We have successfully evaluated the underlying technique against the most common free keyloggers. This confirms the viability of our approach in practical scenarios. We have also devised potential evasion techniques that may be adopted to circumvent our approach and proposed a heuristic to strengthen the effectiveness of our solution against more elaborated attacks. Extensive experimental results confirm that our technique is robust to both false positives and false negatives in realistic settings.
Index Terms:
Monitoring,Kernel,Keyboards,Correlation,Robustness,PCC,Invasive software,keylogger,security,black-box
Citation:
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo, "Unprivileged Black-Box Detection of User-Space Keyloggers," IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 1, pp. 40-52, Jan.-Feb. 2013, doi:10.1109/TDSC.2012.76
Usage of this product signifies your acceptance of the Terms of Use.