KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware
description
Transcript of KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting MalwareStefano Ortolani1, Cristiano Giuffrida1, and Bruno Crispo2
1Vrije Universiteit2University of Trento
左昌國Seminar @ ADLab, NCU-CSIE
14th International Symposium on Recent Advances in Intrusion Detection(RAID 2011)
2
Outline• Introduction• Approach• Optimization• Evaluation• Discussion• Related Work• Conclusions
3
Introduction• Keylogger detection
• Signature-based solutions• Evasion techniques• Signature producing time
• Behavior-based solutions (system calls or library calls invoking)• False positives• False negatives
4
Introduction• This paper proposes a new behavior-based detection
model• KLIMAX : Kernel-Level Infrastructure for Memory And eXecution
profiling• Based on memory write pattern profiling• Proactive and Reactive
• Previous work• Stefano Ortolani, Cristiano Giuffrida, and Bruno Crispo,
Bait your Hook: a Novel Detection Technique for Keyloggers, RAID 2010
• Comparing I/O patterns• FN: by delaying or disguising I/O activities
5
Approach• To ascertain the correlation between the stream of issued
keystrokes and the memory writes a process exhibits.• High correlation means keylogging behaviors exist.
• No virtualization techniques• Kernel-level solution• Does not provide kernel rootkit detection
6
Approach
7
Approach• Detector
• The detector uses the statistical suite R to randomly generate patterns
• Write patterns received from the Injector• Categorized: data, stack, heap
• Computing the correlation between 2 patterns• PCC: Pearson product-moment Correlation Coefficient
• Injector• A virtual keyboard driver• Converting patterns into keystroke streams
8
Approach• IDT – Interrupt
Descriptor Table• ref
9
Approach
10
Approach• Shadower• Classifier
11
Approach
12
Optimization• To reduce the false positives and false negatives• Many benign applications would register callback functions
to intercept keystroke event• High correlation• The callback mechanism is implemented in USER32.dll• Transient memory write patterns on stacks at callback execution
time(short-lived stack) avoid logging any memory writes performed by USER32.dll
• Identifying long-lived regions of the stack during execution• Excluding any other stack region• Adaptive algorithm to identify long-lived stack
• Initially, marking entire stack as long-lived stack• As the execution progresses, sampling the stack pointer of each thread at
regular time intervals and update the deepest value.
13
Evaluation• Synthetic Evaluation
14
Evaluation
15
Evaluation• False Positive Analysis
• Static binary analysis(or dynamic analysis)• Standard API
• SetWindowsHookEx, GetKeyState, GetAsyncKeyState ( from USER32.dll)
• Hotkey registration API• RegisterHotKey
16
Discussion• The main strength of the detection strategy is to detect
keylogging behavior within short windows of observation even for malware buffering data for a long time.
• False Positives• If a benign application keeps sensitive data in global memory
regions this is unnecessary behavior• In the False Negative evaluation
• 2 samples represent that proactive method is not a good idea• Event trigger based “reactive” should be good
17
Related Work• Behavior-based approach (malware detection)
• Polymorphic malicious executable scanner by api sequence analysis
• Malware profiling• Behavior-based spyware detection• Effective and efficient malware detection at the end host
• API correlation• Detecting bots based on keylogging activities• Bait your hook: a novel detection technique for keyloggers
18
Conclusions• KLIMAX: a kernel-level infrastructure to analyze and
detect malware with generic keylogging behavior• Can be deployed on unmodified Windows-based systems
• Proactive detection• No false positives• No false negatives (the keylogging bahavior is triggered within the
window of observation)• Reactive detection
• Policy-based reactive detection• No false negatives in “general” case
• Antivirus misclassified several malware