ABSTRACT
Despite the increasing number of social engineering attacks through web browser applications, detection of socially engineered trojan downloads by enticed victim users remains a challenging endeavor. In this paper, we present TroGuard, a semi-automated web-based trojan detection solution, that notifies the user if the application she downloaded behaves differently than what she expected at download time. TroGuard builds on the hypothesis that in spite of millions of currently downloadable executables on the Internet, almost all of them provide functionalities from a limited set. Additionally, because each functionality, e.g., text editor, requires particular system resources, it exhibits a unique system-level activity pattern. During an offline process, TroGuard creates a profile dictionary of various functionalities. This profile dictionary is then used to warn the user if she downloads an executable whose observed activity does not match its advertised functionality (extracted through automated analysis of the download website). Our experimental results prove the above mentioned premise empirically and show that TroGuard can identify real-world socially engineered trojan download attacks effectively.
- Trojanhunter; available at www.trojanhunter.com, 2013.Google Scholar
- R. G. Anjoy and S. K. Chakraborty. Efficiency of lttng as a kernel and userspace tracer on multicore environment. Technical report, 2010.Google Scholar
- S. Arlot and M. Lerasle. V-fold cross-validation and v-fold penalization in least-squares density estimation. 2012.Google Scholar
- U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS. The Internet Society, 2009.Google Scholar
- U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'09, pages 8--8, Berkeley, CA, USA, 2009. USENIX Association. Google ScholarDigital Library
- N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 7--7, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 5--14, 2007. Google ScholarDigital Library
- S.-Y. Dai, Y. Fyodor, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Holography: a behavior-based profiler for malware analysis. Software: Practice and Experience, 42(9):1107--1136, 2012. Google ScholarDigital Library
- P. J. Denning and R. D. Riehle. The profession of it is software engineering engineering? Communications of the ACM, 52(3):24--26, 2009. Google ScholarDigital Library
- M. Desnoyers and M. Dagenais. The lttng tracer: A low impact performance and behavior monitor for gnu/linux. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, pages 354--359. ACM, 2012.Google Scholar
- L. Garber. Security, privacy, and policy roundup. IEEE Security & Privacy, pages 15--17, 2012. Google ScholarDigital Library
- M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10--18, 2009. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- C. Kuo, F. Schneider, C. Jackson, D. Mountain, and T. Winograd. Google safe browsing. project at google. Inc., June--August, 2005.Google Scholar
- A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 399--412, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- T. LEE, J. J. MODY, Y. L. LIN, A. M. MARINESCU, and A. A. POLYAKOV. Application behavioral classification, 06 2007.Google Scholar
- D. Lo, H. Cheng, J. Han, S.-C. Khoo, and C. Sun. Classification of software behaviors for failure detection: a discriminative pattern mining approach. In Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, KDD '09, pages 557--566, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: an attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 440--450, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- T.. malicious programs for Mac OS X. Mcafee antivirus solution; available at http://www.securelist.com, 2012.Google Scholar
- D. Maynor. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress, 2007. Google ScholarDigital Library
- McAfee. Mcafee antivirus solution; available at http://www.mcafee.com, 2013.Google Scholar
- A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP '07, pages 231--245, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- R. Naraine. Adobe: Beware of fake flash downloads; available at http://www.zdnet.com, 2008.Google Scholar
- Y. Okazaki, I. Sato, and S. Goto. A new intrusion detection method based on process profiling. In Applications and the Internet, 2002. (SAINT 2002). Proceedings. 2002 Symposium on, pages 82--90, 2002. Google ScholarDigital Library
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 108--125, Berlin, Heidelberg, 2008. Springer-Verlag. Google ScholarDigital Library
- K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. J. Comput. Secur., 19(4):639--668, dec 2011. Google ScholarCross Ref
- J. H. Saltzer and F. Kaashoek. Principles of computer system design: an introduction. Morgan Kaufmann Pub, 2009. Google ScholarDigital Library
- R. Smith. An overview of the tesseract ocr engine. In Proc. Ninth Int. Conference on Document Analysis and Recognition (ICDAR), pages 629--633, 2007. Google ScholarDigital Library
- D. Toupin. Using tracing to diagnose or monitor systems. Software, IEEE, 28(1):87--91, 2011. Google ScholarDigital Library
- Wikipedia. Computer keyboard---Wikipedia, the free encyclopedia, 2013.Google Scholar
- J. Zhang and R. J. Figueiredo. Application classification through monitoring and learning of resource consumption patterns. In Proceedings of the 20th international conference on Parallel and distributed processing, IPDPS'06, pages 144--144, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- E. Zini. A cute introduction to debtags. In Proceedings of the 5th annual Debian Conference, pages 59--74, 2005.Google Scholar
- TroGuard: context-aware protection against web-based socially engineered trojans
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Comments