The user is not the enemy: fighting malware by tracking user intentions

Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to access control, focusing on single-user systems, in which the complete history of user and program actions can be used to improve the precision and expressiveness of access control policies. We describe mechanisms for securely capturing user actions, mapping those actions onto likely user intents, and a language for defining access control policies that incorporate user intentions. We implemented a prototype for capturing user intentions, and present results from experiments on malware mitigation using the prototype. Our results show that a very simple MAC policy can prevent a significant amount of system damage caused by malware while not interfering with most benign software.

[1]  T. Daboczi,et al.  How to test graphical user interfaces , 2003, IEEE Instrumentation & Measurement Magazine.

[2]  Michael Carl Tschantz,et al.  Towards reasonability properties for access-control policy languages , 2006, SACMAT '06.

[3]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[4]  Randy H. Katz,et al.  BINDER: An Extrusion-Based Break-In Detector for Personal Computers , 2005, USENIX Annual Technical Conference, General Track.

[5]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[6]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[7]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[8]  E Flahavin,et al.  19th National Information Systems Security Conference , 1997 .

[9]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[10]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[11]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[12]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[13]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[14]  王莹 使用Security—Enhanced Linux增强系统安全 , 2003 .

[15]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[16]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[18]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[19]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[20]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[21]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[22]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[23]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[24]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[25]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[26]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[27]  ともやん,et al.  Microsoft Virtual PC , 2009 .

[28]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[29]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[30]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[31]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[32]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.