论文信息 - Behavior-based Spyware Detection

Behavior-based Spyware Detection

Spyware is rapidly becoming a major security issue. Spyware programs are surreptitiously installed on a user's workstation to monitor his/her actions and gather private information about a user's behavior. Current antispyware tools operate in a way similar to traditional antivirus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations. This paper presents a novel technique for spyware detection that is based on the characterization of spywarelike behavior. The technique is tailored to a popular class of spyware applications that use Internet Explorer's Browser Helper Object (BHO) and toolbar interfaces to monitor a user's browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. The evaluation of our technique on a representative set of spyware samples show that it is possible to reliably identify malicious components using an abstract behavioral characterization.

Christopher Krügel | Engin Kirda | Christopher Krügel | E. Kirda

[1] Samuel Webb Williams,et al. The Component Object Model: A Technical Overview , 1994 .

[2] Matt Pietrek,et al. Peering Inside the PE: A Tour of the Win32 Portable Executable File Format , 1994 .

[3] Vern Paxson,et al. Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[4] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5] Galen C. Hunt,et al. Detours: binary interception of Win32 functions , 1999 .

[6] Sven B. Schreiber. Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[7] Saumya K. Debray,et al. Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[8] Christopher Krügel,et al. Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[9] Stefan Saroiu,et al. Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[10] Somesh Jha,et al. Testing malware detectors , 2004, ISSTA '04.

[11] Sy-Yen Kuo,et al. Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[12] Somesh Jha,et al. Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13] Roger Thompson,et al. Why spyware poses multiple threats to security , 2005, CACM.

[14] Steven D. Gribble,et al. A Crawler-based Study of Spyware in the Web , 2006, NDSS.