klimax: profiling memory write patterns to detect keystroke-harvesting malware
DESCRIPTION
14 th International Symposium on Recent Advances in Intrusion Detection (RAID 2011). KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware. Stefano Ortolani 1 , Cristiano Giuffrida 1 , and Bruno Crispo 2 1 Vrije Universiteit 2 University of Trento. 左昌國 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/1.jpg)
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting MalwareStefano Ortolani1, Cristiano Giuffrida1, and Bruno Crispo2
1Vrije Universiteit2University of Trento
左昌國Seminar @ ADLab, NCU-CSIE
14th International Symposium on Recent Advances in Intrusion Detection(RAID 2011)
![Page 2: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/2.jpg)
2
Outline• Introduction• Approach• Optimization• Evaluation• Discussion• Related Work• Conclusions
![Page 3: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/3.jpg)
3
Introduction• Keylogger detection
• Signature-based solutions• Evasion techniques• Signature producing time
• Behavior-based solutions (system calls or library calls invoking)• False positives• False negatives
![Page 4: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/4.jpg)
4
Introduction• This paper proposes a new behavior-based detection
model• KLIMAX : Kernel-Level Infrastructure for Memory And eXecution
profiling• Based on memory write pattern profiling• Proactive and Reactive
• Previous work• Stefano Ortolani, Cristiano Giuffrida, and Bruno Crispo,
Bait your Hook: a Novel Detection Technique for Keyloggers, RAID 2010
• Comparing I/O patterns• FN: by delaying or disguising I/O activities
![Page 5: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/5.jpg)
5
Approach• To ascertain the correlation between the stream of issued
keystrokes and the memory writes a process exhibits.• High correlation means keylogging behaviors exist.
• No virtualization techniques• Kernel-level solution• Does not provide kernel rootkit detection
![Page 6: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/6.jpg)
6
Approach
![Page 7: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/7.jpg)
7
Approach• Detector
• The detector uses the statistical suite R to randomly generate patterns
• Write patterns received from the Injector• Categorized: data, stack, heap
• Computing the correlation between 2 patterns• PCC: Pearson product-moment Correlation Coefficient
• Injector• A virtual keyboard driver• Converting patterns into keystroke streams
![Page 8: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/8.jpg)
8
Approach• IDT – Interrupt
Descriptor Table• ref
![Page 9: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/9.jpg)
9
Approach
![Page 10: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/10.jpg)
10
Approach• Shadower• Classifier
![Page 11: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/11.jpg)
11
Approach
![Page 12: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/12.jpg)
12
Optimization• To reduce the false positives and false negatives• Many benign applications would register callback functions
to intercept keystroke event• High correlation• The callback mechanism is implemented in USER32.dll• Transient memory write patterns on stacks at callback execution
time(short-lived stack) avoid logging any memory writes performed by USER32.dll
• Identifying long-lived regions of the stack during execution• Excluding any other stack region• Adaptive algorithm to identify long-lived stack
• Initially, marking entire stack as long-lived stack• As the execution progresses, sampling the stack pointer of each thread at
regular time intervals and update the deepest value.
![Page 13: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/13.jpg)
13
Evaluation• Synthetic Evaluation
![Page 14: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/14.jpg)
14
Evaluation
![Page 15: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/15.jpg)
15
Evaluation• False Positive Analysis
• Static binary analysis(or dynamic analysis)• Standard API
• SetWindowsHookEx, GetKeyState, GetAsyncKeyState ( from USER32.dll)
• Hotkey registration API• RegisterHotKey
![Page 16: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/16.jpg)
16
Discussion• The main strength of the detection strategy is to detect
keylogging behavior within short windows of observation even for malware buffering data for a long time.
• False Positives• If a benign application keeps sensitive data in global memory
regions this is unnecessary behavior• In the False Negative evaluation
• 2 samples represent that proactive method is not a good idea• Event trigger based “reactive” should be good
![Page 17: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/17.jpg)
17
Related Work• Behavior-based approach (malware detection)
• Polymorphic malicious executable scanner by api sequence analysis
• Malware profiling• Behavior-based spyware detection• Effective and efficient malware detection at the end host
• API correlation• Detecting bots based on keylogging activities• Bait your hook: a novel detection technique for keyloggers
![Page 18: KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware](https://reader036.vdocuments.site/reader036/viewer/2022081512/568163bd550346895dd4d87d/html5/thumbnails/18.jpg)
18
Conclusions• KLIMAX: a kernel-level infrastructure to analyze and
detect malware with generic keylogging behavior• Can be deployed on unmodified Windows-based systems
• Proactive detection• No false positives• No false negatives (the keylogging bahavior is triggered within the
window of observation)• Reactive detection
• Policy-based reactive detection• No false negatives in “general” case
• Antivirus misclassified several malware