14 th International Symposium on Recent Advances in Intrusion Detection (RAID 2011). KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware. Stefano Ortolani 1 , Cristiano Giuffrida 1 , and Bruno Crispo 2 1 Vrije Universiteit 2 University of Trento. 左昌國 - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting MalwareStefano Ortolani1, Cristiano Giuffrida1, and Bruno Crispo2
1Vrije Universiteit2University of Trento
左昌國Seminar @ ADLab, NCU-CSIE
14th International Symposium on Recent Advances in Intrusion Detection(RAID 2011)
2
Outline• Introduction• Approach• Optimization• Evaluation• Discussion• Related Work• Conclusions
3
Introduction• Keylogger detection
• Signature-based solutions• Evasion techniques• Signature producing time
Optimization• To reduce the false positives and false negatives• Many benign applications would register callback functions
to intercept keystroke event• High correlation• The callback mechanism is implemented in USER32.dll• Transient memory write patterns on stacks at callback execution
time(short-lived stack) avoid logging any memory writes performed by USER32.dll
• Identifying long-lived regions of the stack during execution• Excluding any other stack region• Adaptive algorithm to identify long-lived stack
• Initially, marking entire stack as long-lived stack• As the execution progresses, sampling the stack pointer of each thread at
regular time intervals and update the deepest value.
13
Evaluation• Synthetic Evaluation
14
Evaluation
15
Evaluation• False Positive Analysis
• Static binary analysis(or dynamic analysis)• Standard API
• SetWindowsHookEx, GetKeyState, GetAsyncKeyState ( from USER32.dll)
• Hotkey registration API• RegisterHotKey
16
Discussion• The main strength of the detection strategy is to detect
keylogging behavior within short windows of observation even for malware buffering data for a long time.
• False Positives• If a benign application keeps sensitive data in global memory
regions this is unnecessary behavior• In the False Negative evaluation
• 2 samples represent that proactive method is not a good idea• Event trigger based “reactive” should be good
17
Related Work• Behavior-based approach (malware detection)
• Polymorphic malicious executable scanner by api sequence analysis
• Malware profiling• Behavior-based spyware detection• Effective and efficient malware detection at the end host
• API correlation• Detecting bots based on keylogging activities• Bait your hook: a novel detection technique for keyloggers
18
Conclusions• KLIMAX: a kernel-level infrastructure to analyze and
detect malware with generic keylogging behavior• Can be deployed on unmodified Windows-based systems
• Proactive detection• No false positives• No false negatives (the keylogging bahavior is triggered within the
window of observation)• Reactive detection
• Policy-based reactive detection• No false negatives in “general” case