250 likes | 371 Views
Bait your Hook A Novel Detection Technique for Keyloggers. Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep. OUTLINE. Introduction Our Approach Architecture Evaluation Conclusion. Introduction – threat?. Malware with keylogging functionalities.
E N D
Bait your HookA Novel Detection Technique for Keyloggers Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep.
OUTLINE • Introduction • Our Approach • Architecture • Evaluation • Conclusion
Introduction – threat? • Malware with keylogging functionalities
Introduction - Keylogger • Win32 API • GetKeyState() • GetAsyncKeyState() • SetWindowsHookEx() • X 11 • gdk_window_add_filter() Source: http://www.securityfocus.org - 2007
Countermeasure • Anti-keylogging software • Signature-based • APIs tracing and detection • Virtual keyboard • One-time password
Countermeasure(cont.) • An ideal approach should be: • Unprivileged • Reliable • Portable • Many keyloggers, one behavior
Our approach • The correlation between keystroke events and I/O activity • Bait your Hook! • Inject keystrokes • Record the bytes output
Architecture The prototype's architecture divided in components and domains.
Injector • Inject the input stream • Mimicking the behavior of a simulated user • Rely on unprivileged API calls • Win32: SendInput • X11: XTestFakeKeyEvent • The resulting keystroke events should: • No different than keystroke generated by a user at the keyboard
Monitor • Application-level statistics of I/O activities • Rely on unprivileged performance counter • Win32: WriteTransferCount • Total number of bytes the process wrote since its creation • Linux: Analogous performance counter • Minimal overhead
Pattern Translator • Transform an AKP(Abstract Keystroke Pattern) into a stream and viceversa • A pattern P is a set of samples Pi • Each sample Pi is the normalized amount of data measured at the time interval i • The normalization scales all the samples within the range [0,1]
Pattern Translator(cont.) • N - the number of samples in the pattern. • T - the constant time interval between any two successive samples. • Kmin - the minimum predefined number of keystrokes per sample allowed. • Kmax - the maximum predefined number of keystrokes per sample allowed. • Ri – the average keystroke rate
Detector • Infer a cause-effect relationship between input/output AKP form • Operates on a single process at a time • Calculate PCC(Pearson correlation coefficient)
Detector(cont.) • Linearity: scale and location invariant. • PCC(P,Q) = PCC(a + P*c,Q) • Immune to data normalization such as encryption or ignored keystrokes. • Buffering? • Focus-based buffering • Time-based buffering
Pattern Generator • It must NOT resemble any pattern exhibited by legitimate processes. • It must be easily identifiable in the output. • SYSmark 2004 SE suite
Pattern Generator(alg.) • Random • random within the range [0,1] • Random Fixed Range • random permutation of uniformly distributed samples • Sine Wave • discrete sine wave oscillating between 0 and 1 • Impulse • pattern composed of alternated 0 and 1. • Workload Aware • maximally uncorrelated to the actual workload
Parameters • How the AKP’s parameters influence the PCC? • A proof-of-concept keylogger
Parameters(cont.) • Time interval
False Negatives • Effect of random padding
False Positives • Workload generated by the “Office” suite
Result • Detection results for the keyloggers used in the evaluation. • PCC's threshold set to 0.80 • New threshold and parameters • Pattern=RFR, PCC=0.6, N=60, T=1000, Kmin=1, Kmax=50 Top monitoring free software list - http://www.keylogger.org
Limitation • A Keylogger actively performing I/O activities • Higher inject rates? • Aggressive buffering • Monitor the memory accesses (privileged API)
Conclusion • An unprivileged approach for keyloggers. • Effective against real keyloggers in a realistic scenario. • The proposed architecture is OS independent. • The resulting tool (GPL licensed) will be soon made public.