Server-side detection of malware infection

We review the intertwined problems of malware and online fraud, and argue that the fact that service providers often are nancially responsible for fraud causes a relative lack of incentives for clients to manage their own security well. This suggests the need for a server-side tool to determine the security posture of clients before letting them transact. We introduce an exceedingly lightweight audit mechanism to address this need -- permitting for post-mortem infection analysis -- and prove its security properties based on standard cryptographic hardness assumptions. We describe a deployment architecture that aligns the incentives of participants in order to facilitate quick adoption and widespread use of the technology. Our approach is exible enough to protect even low-end computing devices like mobile handsets, which future malware will target heavily, but whose power and bandwidth limitations result in poor effectiveness for traditional anti-virus solutions. A contribution of independent potential value is the enabling of a centralized analysis of malware-related events, which promises to extend the power of detection in comparison to what today's decentralized paradigm allows.

[1]  Tom Cross,et al.  Emerging Cyber Threats Report for 2009 , 2008 .

[2]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[3]  Kim-Kwang Raymond Choo Organised crime groups in cyberspace: a typology , 2008 .

[4]  Mikko Hypponen,et al.  Malware goes mobile. , 2006, Scientific American.

[5]  Shlomo Havlin Phone Infections , 2009, Science.

[6]  Markus Jakobsson,et al.  How to Forget a Secret , 1999, STACS.

[7]  Albert-László Barabási,et al.  Understanding the Spreading Patterns of Mobile Phone Viruses , 2009, Science.

[8]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[9]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[10]  Hongxia Jin,et al.  Towards Better Software Tamper Resistance , 2005, ISC.

[11]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[12]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[13]  G. Durfee,et al.  Posture-Based Data Protection , 2006 .

[14]  Markus Jakobsson,et al.  Auditable Privacy: On Tamper-Evident Mix Networks , 2006, Financial Cryptography.

[15]  Michael Barrett A Practical Approach to Managing Phishing 7 Diagram 4 : Firefox ’ s Warning , 2008 .

[16]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[17]  Christopher Krügel,et al.  Mitigating Drive-By Download Attacks: Challenges and Open Problems , 2009, iNetSeC.

[18]  Hongxia Jin,et al.  Key evolution-based tamper resistance: a subgroup extension , 2007, ASIACCS '07.

[19]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[20]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[21]  Markus Jakobsson,et al.  Tamper-Evident Digital Signature Protecting Certification Authorities Against Malware , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[22]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[23]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .