Cryptography Reference
In-Depth Information
Evaluation of a Spyware Detection System Using
Thin Client Computing
Vasilis Pappas, Brian M. Bowen, and Angelos D. Keromytis
Department of Computer Science, Columbia University
{
vpappas,bmbowen,angelos
}
@cs.columbia.edu
Abstract.
Spyware - malicious software that passively collects users'
information without their knowledge - is a prevalent threat. After a spy-
ware program has collected and possibly analyzed enough data, it usu-
ally transmits such information back to its author. In this paper, we build
a system to detect such malicious behaving software, based on our prior
work on detecting crimeware. Our system is specifically designed to fit
with thin-client computing, which is popular in some corporate environ-
ments. We provide implementation details, as well as experimental results
that demonstrate the scalability and effectiveness of our system.
Keywords:
Spyware, Thin Client Computing.
1
Introduction
Spyware has traditionally targeted individual consumers for purposes of con-
ducting fraud and identity theft. Much of the defense has typically been left
to anti-virus software operating on individual consumers' PCs and the finan-
cial institutions themselves who monitor for suspicious activity in an attempt to
mitigate financial loss. More recently, the enterprise as has become the target
[16] for spyware where the attackers' goal is to pilfer corporate information in-
cluding webmail accounts, VPN accounts, and other enterprise credentials. One
study conducted by RSA's FraudAction Anti-Trojan division found that almost
all Fortune 500 companies have shown activity from the Zeus Trojan [12], one
of the largest botnets. Given that many existing trojans and malware samples
evade detection by traditional anti-virus software most of the time [12], there
is demand for new approaches that can be applied at scalable levels within an
enterprise.
In prior work [4], we developed a system that was designed to detect spyware
proactively through the use of tamper resistant decoys. The system is intended
to complement traditional signature and anomaly based defense systems rather
than replace them. The system works by injecting decoys made up of monitored
information that triggers alerts during exploitation. The system makes the mal-
ware's task significantly harder by requiring it to distinguish real actions from
simulated actions to in order to avoid decoys. We demonstrated the system's
ability to detect spyware using various types decoy credentials including those
Search WWH ::
Custom Search