On Second-Order Detection of Webcam Spyware

Abstract

Second-order detection of malware is frequently more effective than traditional malware detection in that it operates on the basis of a heavily influenced malware behavior. In this paper, we advance second-order detection of webcam spyware through an approach that aims at reaching their behavior at a greater than before depth. We propose decoy user space activity, along with a case study of it, namely a decoy security protocol, to involve malware in a series of interactions that lead them towards accessing a decoy I/O device, i.e. a decoy webcam in this case. In practical terms, decoy user space activity is delivered by a coherent ensemble of decoy I/O devices and decoy processes. This work makes decoy user space activity and decoy I/O indistinguishable from their real counterparts, and therefore increases uncertainty in malware operations on a compromised machine to benefit their detection.