bait your hook a novel detection technique for keyloggers
DESCRIPTION
Bait your Hook A Novel Detection Technique for Keyloggers. Stefano Ortolani, Cristiano Giurida, and Bruno Crispo RAID 2010 Sep. OUTLINE. Introduction Our Approach Architecture Evaluation Conclusion. Introduction – threat?. Malware with keylogging functionalities. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/1.jpg)
Bait your HookBait your HookA Novel Detection Technique for A Novel Detection Technique for KeyloggersKeyloggers
Stefano Ortolani, Cristiano Giurida, and Bruno Crispo
RAID 2010 Sep.
1
![Page 2: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/2.jpg)
OUTLINEOUTLINEIntroductionOur ApproachArchitectureEvaluationConclusion
2
![Page 3: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/3.jpg)
Introduction – Introduction – threat?threat?Malware with keylogging
functionalities
3
![Page 4: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/4.jpg)
Introduction – Introduction – threat?threat?
4
![Page 5: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/5.jpg)
Introduction - Introduction - KeyloggerKeyloggerWin32 API
◦ GetKeyState()◦ GetAsyncKeyState()◦ SetWindowsHookEx()
X 11◦ gdk_window_add_filter()
Source: http://www.securityfocus.org - 20075
![Page 6: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/6.jpg)
CountermeasureCountermeasureAnti-keylogging software
◦ Signature-based◦ APIs tracing and detection
Virtual keyboardOne-time password
6
![Page 7: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/7.jpg)
Countermeasure(cont.)Countermeasure(cont.)An ideal approach should be:
◦ Unprivileged◦ Reliable◦ Portable
Many keyloggers, one behavior
7
![Page 8: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/8.jpg)
Our approachOur approachThe correlation between keystroke
events and I/O activity
Bait your Hook!◦ Inject keystrokes◦ Record the bytes output
8
![Page 9: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/9.jpg)
ArchitectureArchitecture
The prototype's architecture divided in components and domains.9
![Page 10: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/10.jpg)
InjectorInjectorInject the input stream
◦ Mimicking the behavior of a simulated userRely on unprivileged API calls
◦ Win32: SendInput◦ X11: XTestFakeKeyEvent
The resulting keystroke events should:◦ No different than keystroke generated by a
user at the keyboard
10
![Page 11: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/11.jpg)
MonitorMonitorApplication-level statistics of I/O
activitiesRely on unprivileged performance
counter◦ Win32: WriteTransferCount
Total number of bytes the process wrote since its creation
◦ Linux: Analogous performance counterMinimal overhead
11
![Page 12: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/12.jpg)
Pattern TranslatorPattern TranslatorTransform an AKP(Abstract Keystroke
Pattern) into a stream and viceversa◦ A pattern P is a set of samples Pi
◦ Each sample Pi is the normalized amount of data measured at the time interval i
◦ The normalization scales all the samples within the range [0,1]
12
![Page 13: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/13.jpg)
Pattern Translator(cont.)Pattern Translator(cont.) N - the number of samples in the pattern. T - the constant time interval between any two
successive samples. Kmin - the minimum predefined number of keystrokes
per sample allowed. Kmax - the maximum predefined number of keystrokes
per sample allowed. Ri – the average keystroke rate
13
![Page 14: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/14.jpg)
DetectorDetectorInfer a cause-effect relationship
between input/output AKP formOperates on a single process at a
timeCalculate PCC(Pearson
correlation coefficient)
14
![Page 15: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/15.jpg)
Detector(cont.)Detector(cont.)Linearity: scale and location invariant.
◦ PCC(P,Q) = PCC(a + P*c,Q)Immune to data normalization such as
encryption or ignored keystrokes.Buffering?
◦ Focus-based buffering◦ Time-based buffering
15
![Page 16: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/16.jpg)
Pattern GeneratorPattern GeneratorIt must NOT resemble any pattern
exhibited by legitimate processes.It must be easily identifiable in the
output.SYSmark 2004 SE suite
16
![Page 17: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/17.jpg)
Pattern Generator(alg.)Pattern Generator(alg.)Random
◦ random within the range [0,1]Random Fixed Range
◦ random permutation of uniformly distributed samples
Sine Wave◦ discrete sine wave oscillating between 0 and 1
Impulse◦ pattern composed of alternated 0 and 1.
Workload Aware◦ maximally uncorrelated to the actual workload
17
![Page 18: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/18.jpg)
ParametersParametersHow the AKP’s parameters influence the PCC?◦ A proof-of-concept keylogger
18
![Page 19: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/19.jpg)
Parameters(cont.)Parameters(cont.)Time interval
19
![Page 20: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/20.jpg)
False NegativesFalse NegativesEffect of random padding
20
![Page 21: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/21.jpg)
False PositivesFalse PositivesWorkload generated by the “Office” suite
21
![Page 22: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/22.jpg)
ResultResultDetection results for the keyloggers used in
the evaluation. PCC's threshold set to 0.80
New threshold and parameters◦ Pattern=RFR, PCC=0.6, N=60, T=1000, Kmin=1,
Kmax=50
Top monitoring free software list - http://www.keylogger.org
22
![Page 23: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/23.jpg)
LimitationLimitationA Keylogger actively performing I/O
activities◦ Higher inject rates?
Aggressive buffering◦ Monitor the memory accesses (privileged
API)
23
![Page 24: Bait your Hook A Novel Detection Technique for Keyloggers](https://reader036.vdocuments.us/reader036/viewer/2022062321/56813bfb550346895da54a94/html5/thumbnails/24.jpg)
ConclusionConclusionAn unprivileged approach for
keyloggers.Effective against real keyloggers in a
realistic scenario.The proposed architecture is OS
independent.The resulting tool (GPL licensed) will
be soon made public.
24