SpyCon: Emulating User Activities to Detect Evasive Spyware

2007 IEEE International Performance, Computing, and Communications Conference Pub Date : 2007-04-11 DOI:10.1109/PCCC.2007.358933

M. Chandrasekaran, V. Sankaranarayanan, S. Upadhyaya

{"title":"SpyCon: Emulating User Activities to Detect Evasive Spyware","authors":"M. Chandrasekaran, V. Sankaranarayanan, S. Upadhyaya","doi":"10.1109/PCCC.2007.358933","DOIUrl":null,"url":null,"abstract":"The success of any spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-spyware solution.","PeriodicalId":356565,"journal":{"name":"2007 IEEE International Performance, Computing, and Communications Conference","volume":"76 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"24","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Performance, Computing, and Communications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PCCC.2007.358933","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 24

Abstract

The success of any spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-spyware solution.

查看原文本刊更多论文

SpyCon:模拟用户活动以检测规避间谍软件

任何间谍软件的成功都取决于其逃避检测的能力。尽管采用签名和基于异常的系统的传统检测方法取得了一定的成功，但新一类间谍软件程序出现了，它们与用户活动融为一体，以避免检测。最新的反间谍软件技术之一由本地代理组成，该代理生成已知参数(例如，网络访问请求)的蜂蜜令牌，并欺骗间谍软件将其视为合法活动。在本文中，作为第一步，我们解决了静态蜂蜜令牌生成的缺陷，并提出了一种绕过此类检测技术的攻击。我们利用关联规则挖掘等数据挖掘算法来综合攻击。接下来，我们提出了一种随机蜂蜜令牌生成机制来解决这类新的间谍软件。实验结果表明:(i)静态蜂蜜令牌的检测准确率接近100%，从而击败了最先进的反间谍技术;(ii)随机蜂蜜令牌生成机制是一种有效的反间谍解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE International Performance, Computing, and Communications Conference

自引率

0.00%

发文量