Bait your Hook A Novel Detection Technique for Keyloggers

1. Bait your HookA Novel Detection Technique for Keyloggers Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep.

2. OUTLINE • Introduction • Our Approach • Architecture • Evaluation • Conclusion

3. Introduction – threat? • Malware with keylogging functionalities

4. Introduction – threat?

5. Introduction - Keylogger • Win32 API • GetKeyState() • GetAsyncKeyState() • SetWindowsHookEx() • X 11 • gdk_window_add_filter() Source: http://www.securityfocus.org - 2007

6. Countermeasure • Anti-keylogging software • Signature-based • APIs tracing and detection • Virtual keyboard • One-time password

7. Countermeasure(cont.) • An ideal approach should be: • Unprivileged • Reliable • Portable • Many keyloggers, one behavior

8. Our approach • The correlation between keystroke events and I/O activity • Bait your Hook! • Inject keystrokes • Record the bytes output

9. Architecture The prototype's architecture divided in components and domains.

10. Injector • Inject the input stream • Mimicking the behavior of a simulated user • Rely on unprivileged API calls • Win32: SendInput • X11: XTestFakeKeyEvent • The resulting keystroke events should: • No different than keystroke generated by a user at the keyboard

11. Monitor • Application-level statistics of I/O activities • Rely on unprivileged performance counter • Win32: WriteTransferCount • Total number of bytes the process wrote since its creation • Linux: Analogous performance counter • Minimal overhead

12. Pattern Translator • Transform an AKP(Abstract Keystroke Pattern) into a stream and viceversa • A pattern P is a set of samples Pi • Each sample Pi is the normalized amount of data measured at the time interval i • The normalization scales all the samples within the range [0,1]

13. Pattern Translator(cont.) • N - the number of samples in the pattern. • T - the constant time interval between any two successive samples. • Kmin - the minimum predefined number of keystrokes per sample allowed. • Kmax - the maximum predefined number of keystrokes per sample allowed. • Ri – the average keystroke rate

14. Detector • Infer a cause-effect relationship between input/output AKP form • Operates on a single process at a time • Calculate PCC(Pearson correlation coefficient)

15. Detector(cont.) • Linearity: scale and location invariant. • PCC(P,Q) = PCC(a + P*c,Q) • Immune to data normalization such as encryption or ignored keystrokes. • Buffering? • Focus-based buffering • Time-based buffering

16. Pattern Generator • It must NOT resemble any pattern exhibited by legitimate processes. • It must be easily identifiable in the output. • SYSmark 2004 SE suite

17. Pattern Generator(alg.) • Random • random within the range [0,1] • Random Fixed Range • random permutation of uniformly distributed samples • Sine Wave • discrete sine wave oscillating between 0 and 1 • Impulse • pattern composed of alternated 0 and 1. • Workload Aware • maximally uncorrelated to the actual workload

18. Parameters • How the AKP’s parameters influence the PCC？ • A proof-of-concept keylogger

19. Parameters(cont.) • Time interval

20. False Negatives • Effect of random padding

21. False Positives • Workload generated by the “Office” suite

22. Result • Detection results for the keyloggers used in the evaluation. • PCC's threshold set to 0.80 • New threshold and parameters • Pattern=RFR, PCC=0.6, N=60, T=1000, Kmin=1, Kmax=50 Top monitoring free software list - http://www.keylogger.org

23. Limitation • A Keylogger actively performing I/O activities • Higher inject rates? • Aggressive buffering • Monitor the memory accesses (privileged API)

24. Conclusion • An unprivileged approach for keyloggers. • Effective against real keyloggers in a realistic scenario. • The proposed architecture is OS independent. • The resulting tool (GPL licensed) will be soon made public.