Skip to main content
SpringerLink
Log in

Bait Your Hook: A Novel Detection Technique for Keyloggers

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Included in the following conference series:

Abstract

Software keyloggers are a fast growing class of malware often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes of the users of the system. Such an ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows to understand and model their behavior in detail. Leveraging this property, we propose a new detection technique that simulates carefully crafted keystroke sequences (the bait) in input and observes the behavior of the keylogger in output to univocally identify it among all the running processes. We have prototyped and evaluated this technique with some of the most common free keyloggers. Experimental results are encouraging and confirm the viability of our approach in practical scenarios.

This work has been partially funded by the EU FP7 IP Project MASTER (contract no. 216917) and by the PRIN project “Paradigmi di progettazione completamente decentralizzati per algoritmi autonomici”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Al-Hammadi, Y., Aickelin, U.: Detecting bots based on keylogging activities. In: Proceedings of the Third International Conference on Availability, Reliability and Security, pp. 896–902 (2008)

    Google Scholar 

  2. Aldrich, J.: Correlations genuine and spurious in pearson and yule. Statistical Science 10(4), 364–376 (1995)

    MathSciNet  Google Scholar 

  3. Aslam, M., Idrees, R., Baig, M., Arshad, M.: Anti-Hook Shield against the Software Key Loggers. In: Proceedings of the 2004 National Conference on Emerging Technologies, p. 189 (2004)

    Google Scholar 

  4. BAPCO: SYSmark 2004 SE (2004), http://www.bapco.com/products/sysmark2004se/

  5. Benesty, J., Chen, J., Huang, Y.: On the importance of the pearson correlation coefficient in noise reduction. IEEE Transactions on Audio, Speech, and Language Processing 16(4), 757–765 (2008)

    Article  Google Scholar 

  6. Borders, K., Zhao, X., Prakash, A.: Siren: Catching evasive malware (short paper). In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 76–85 (2006)

    Google Scholar 

  7. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. Advances in Information Security 36, 65–88 (2008)

    Article  Google Scholar 

  8. Goodwin, L., Leech, N.: Understanding correlation: Factors that affect the size of r. The Journal of Experimental Education 74(3), 249–266 (2006)

    Article  Google Scholar 

  9. Grebennikov, N.: Keyloggers: How they work and how to detect them, http://www.viruslist.com/en/analysis?pubid=204791931

  10. Han, J., Kwon, J., Lee, H.: Honeyid: Unveiling hidden spywares by generating bogus events. In: Proceedings of The Ifip Tc 11 23rd International Information Security Conference, pp. 669–673 (2008)

    Google Scholar 

  11. Hsu, W., Smith, A.: Characteristics of I/O traffic in personal computer and server workloads. IBM System Journal 42(2), 347–372 (2003)

    Article  Google Scholar 

  12. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection. In: Proceedings of the 15th USENIX Security Symposium (USENIX Security 2006) (2006)

    Google Scholar 

  13. Kochenberger, G., Glover, F., Alidaee, B.: An effective approach for solving the binary assignment problem with side constraints. Internation Journal of Information Technology and Decision Making 1, 121–129 (2002)

    Article  Google Scholar 

  14. Kuhn, H.W.: The hungarian method for the assignment problem. Naval Research Logistics Quarterly 2, 83–97 (1955)

    Article  MathSciNet  Google Scholar 

  15. Security Technology Ltd.: Testing and reviews of keyloggers, monitoring products and spy software (spyware) (2009), http://www.keylogger.org/monitoring-free-software-review/

  16. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceeding of the 28th IEEE Symposium on Security and Privacy (SP 2007), pp. 231–245 (May 2007)

    Google Scholar 

  17. San Jose Mercury News: Kinkois spyware case highlights risk of public internet terminals (2009), http://www.siliconvalley.com/mld/siliconvalley/news/6359407.htm

  18. Rodgers, J.L., Nicewander, W.A.: Thirteen ways to look at the correlation coefficient. The American Statistician 42(1), 59–66 (1988)

    Article  Google Scholar 

  19. Strahija, N.: Student charged after college computers hacked (2003), http://www.xatrix.org/article2641.html

  20. Xu, M., Salami, B., Obimbo, C.: How to protect personal information against keyloggers. In: Proceedings of the 9th International Conference on Internet and Multimedia Systems and Applications, IASTED 2005 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Vrije Universiteit, De Boelelaan 1081, 1081HV, Amsterdam, The Netherlands

    Stefano Ortolani & Cristiano Giuffrida

  2. University of Trento, Via Sommarive 14, 38050, Povo, Trento, Italy

    Bruno Crispo

Authors
  1. Stefano Ortolani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cristiano Giuffrida
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ortolani, S., Giuffrida, C., Crispo, B. (2010). Bait Your Hook: A Novel Detection Technique for Keyloggers . In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation