Cryptography Reference
In-Depth Information
for PayPal, a large bank, and Gmail. The implementation relied upon an out-of-
host software agent to drive user-like interactions in a virtual machine, seeking
to convince malware residing within the guestOSthatithascapturedlegitimate
credentials. The system successfully demonstrated that decoys can be used for
detecting spyware on a single host.
In this work, we explore and demonstrate the scalability of the approach across
many hosts, making this work applicable to enterprise environments. Specifically,
we address threats within a thin-client based environment and propose a novel
architecture for bait injection on thin clients. The maturity of thin-clients has in-
creased their usage in corporate computing environments, making this approach
especially applicable [9,7]. In this system, we rely on virtualized mouse and key-
board devices to inject decoy actions and credentials to an innumerable number
of hosts with very low network and CPU overhead.
In summary, the contributions for this work include:
-
An extension of an already proven system that aims to proactively detect
malware on a single host to one that scales to service any number of hosts.
-
A thin-client based architecture that supports the injection of bait informa-
tion to and from a scalable number of servers and clients.
-
A demonstration of the thin-client based architecture showing that it pro-
vides reasonable performance.
-
The results of experiments that examine how these new systems induce mal-
ware to exfiltrate information.
Organization:
Section 2 presents previous work, related to ours. In Section 3 we
describe our original system and we detail our new scalable architecture based
on thin client computing. We then present our evaluation results in Section 4
and conclude in Section 5.
2 Related
The use of manually injected human input for generating network requests has
been shown to be useful by Borders
et al.
[3] for detecting malware. The aim
of their system is to is to thwart malware that attempts to blend in with nor-
mal user activity to avoid anomaly detection systems. Chandrasekaran
et al.
[5]
expanded upon this system and demonstrated an approach to randomizing gen-
erated human input to foil potential analysis techniques that may be employed
by malware. Work by Holz
et al.
[8] investigated keyloggers and dropzones, re-
lied on executing maleware in CWSandbox [13] and automating user input with
AutoIt
1
for the purpose of detecting harvesting channels. Since AutoIt resides
within the host, attackers are provided with a simple means of detecting and
avoiding it. In prior work, we demonstrated a platform for the automatic gen-
eration and injection of bait information designed to convince malware it has
captured legitimate credentials [4]. In addition, we adapted our original system
Search WWH ::
Custom Search