Memoirs of a Browser A Cross-browser Detection Model for Privacy-breaching Extensions Cristiano Giuffrida - [email protected]Stefano Ortolani - [email protected]Vrije Universiteit Amsterdam,The Netherlands Bruno Crispo - [email protected]Università di Trento Trento, Italy ASIACCS 2012 7th ACM Symposium on Information, Computer and Communications Security May 02, 2012, Seoul, Korea
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Memoirs of a BrowserA Cross-browser Detection Model for Privacy-breaching Extensions
• Each feature represents the contribution of a single MPC to the overall behavior.
• Huge feature space (Firefox ~300 different features, hence ~300 dimensions).
• Cross-browser and cross-version approach:
• Cross-browser: we just need to create a new synthetic training set.
• Cross-version: just retrain the model with new MPCs.
16
Detection via Classification
• We analyzed a data set of 30 publicly available browser extensions:
• We selected extensions with keylogging behavior.
• Of the tested extensions, 100% were successfully detected in just 5 seconds.
• False positives were tested against a data set of the 30 most-used browser extensions:
• 10 extensions per browser.
• Of the tested extensions, 94% successfully classified.
• We also tested 9 extensions which behavior would appear similar to a keylogging behavior.
• 3 extensions per browser, examples are shortcut managers, etc...
• 100% accuracy.
• The infrastructure imposes a measurable slowdown (8X) limited to the detection time.
• No overhead introduced during the normal use of the browser.
17
Results on keylogging extensions
18
• We presented a cross-browser model to detect privacy breaching extensions.
• We implemented the model on the three most adopted web browsers.
• We evaluated it against real world keystroke logging extensions.
• No false positives against extensions intuitively hindering the detection process.
• Future works:
• We plan to apply the model to other classes of privacy breaching malware.
• And to extend the approach to other plugin-based applications:
• i.e., Word, OpenOffice, Thunderbird, etc...
Conclusions
Thanks for your attention!Any questions?
19
[Kirda06] E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. Proceedings of the 15th USENIX Security Symposium (SSYM ’06), pages 273–288, 2006.
[Dhawan09] M. Dhawan and V. Ganapathy. Analyzing information flow in javascript-based browser extensions. Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC 2009), pages 382–391, 2009.
[Li07] Z. Li, X. Wang, and J. Y. Choi. Spyshield: Preserving privacy from spy add-ons. Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007), pages 296–316, 2007.
[Ortolani11] S. Ortolani, C. Giuffrida, and B. Crispo. KLIMAX: Profiling memory write patterns to detect keystroke-harvesting malware. Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011), pages 81–100, 2011.