14-10-2016, 11:15 AM
1458923867-snepaper.docx (Size: 92.82 KB / Downloads: 5)
Abstract: The number of malicious applications targeting online banking transactions has increased dramatically in recent years. This represents a challenge not only to the customers who use such facilities, but also to the institutions who offer them. These malicious applications employ two kinds of attack vector - local attacks which occur on the local computer, and remote attacks, which redirect the victim to a remote site. Keystroke capturing is one among such attacks. Evasive software keyloggers hide their malicious behaviours to defeat run-time detection. This paper proposes an algorithm known as Dendritic Cell Algorithm (DCA) that uses an induction-correlation framework to detect the prsence of Keyloggers. It also encrypts the log file which contains all the keystrokes captured making it useless when viewed by attacker thus providing added protection.
I. INTRODUCTION
Now a days, financial services providers are faced with complex challenges that affect their very survival in a high churn market. Protecting sensitive and critical data, no matter where it resides should be a core requirement of every company’s security strategy. Number of users who uses internet services such as online banking, social networks, e-mails, etc has increased, the number of fraudulent activities also increased. Commonly used attacks are phishing, malwares, keystroke capturing/logging, SQL injection etc..
Keyloggers are gaining popularity in recent days. Keystroke logging, often referred toa s keylogging or keyboard capturing, is the action of recording (or logging ) the key sruck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
There are different types of keyloggers divided into 2 main groups: Hardware keyloggers and Software keyloggers. Hardware keyloggers are small electronic devices used for capturing the data in between a keyboard device and I/O port. These keyloggers are undetectable by anti-viral software or scanners since it works on the hardware platform. Software keyloggers track systems, collect keystroke data within the target operating system, store them on disk or in a remote locations, and send them to the attacker who installed the keyloggers. The main advantage of software keyloggers over hardware keyloggers is that they can run for an indefinite amount of time, while the information is being transmitted remotely eliminating the need to personally obtain the information.
Since the chief purpose of keyloggers is to get conifdential data (bank card numbers, passwords, etc.), the most logical ways to protect against unknown keyloggers are as follows:
• using one-time passwords or two-step authentication,
• using a system with proactive protection designed to detect keylogging software,
• using a virtual keyboard.
This paper proposes an algorithm known as Dendritic Cell Algorithm to detect the presence of keyloggers within a system and a method to prevent keylogger attack. It uses an induction-correlation framework which correlate some behaviors exhibited by each running applications in a system.
II. RELATED WORK
Unlike other type of malicious program, keyloggers present no threat to the system itself. They can pose a serious threat to users, as they can be used to intercept password and other confidential information entered via the keyboard. Keeping a keylogger off your machine is trillion time more important than the strength of any of your password. Antivirus software's could detect and block many kinds of keyloggers, but there is no guarantee that it gets everything.
There are different methods to detect keyloggers:
• Signature based analysis
• Heuristic analysis
• Immune / Behavior analysis
Anti-virus software's uses signature based method but they only scan for known signatures. They have nothing to do with novel keyloggers as well as private keyloggers. Heuristic method is based on the piece-by-piece examination of a virus, looking for a sequences of instructions that differentiate the virus from normal programs. It has got some disadvantage. The length of time scan takes is longer than other types. Depending on data an increased number of false positives can occur.
To overcome these problems, security experts are trying to use behavior based detection techniques, that analyze API calls of a process to classify it as a keylogger or not.
Current methods relies on single behavior that has a high rate of false positives(FP). The ability to correlate multiple behaviors( keystroke tracking, file access and network communication ) helps to reduce FP rate to a great extend. Proposes an immune inspired algorithm – dendritic cell algorithm (DCA) for the purpose of improving the detection performance. Rather than relying on a single type of API(Keylogging APIs) , it has the ability to correlate multiple types of API (keystroke tracking, file access and network communication APIs).
The DCA is based on an abstract model of the dendritic cells which are natural intrusion detection agents of the human body. These cells collect antigens and signals ( environmental conditions of the antigens), and combine the evidence of damage (signals) with the collected suspect antigen to provide information about how dangerous a particular antigen is. DCA not only detects an anomaly, but also the culprit responsible for it.
There are 5 input signals. 1) PAMPs and safe signal-2, derived from the frequency of invocations of keystroke tracking functions, 2) danger signal-1, the time difference between two consecutive WriteFile calls, 3) danger signal-2, the relation between different categories of function calls, 4) safe signal-2, the time difference between two outgoing consecutive functions. Antigens are defined as the process (identified by Process ID) which causes the calls. These antigens are correlated with the input signals by the DCA, resulting in a pairing between signal evidences and antigen suspects, and in the end, the identification of the keylogger process.
KEYLOGGER DETECTION
All keyloggers works in a similar manner. They all firstly track keystrokes and then wrote them to a file or send them toa destination via the Internet.
This paper proposes an approach to detect software keyloggers on a host. This approach consists of 2 steps: 1) the induction of the keyloggers, 2) the correlation of the behaviors exhibited by them. In real environment, the frequency of keystrokes may not be high, and thus the behaviors of the keylogger are not evident enough. Therefore, by designing a keystroke agent application to frequently generate random keystrokes will eliminate this problem. As a result, the behavior of the keylogger will be more evident in the stimulation of a large number of random keystrokes in a short time. The keystroke agent holds the simulated keystrokes within a hidden application to avoid them passing to the other applications. Thus the normal applications will not be affected by the simulated keystrokes.
1) INDUCTION PHASE
In the induction phase, synthesize random keystrokes to induce keyloggers. Figure 2.1 indicates a Windows NT operating system generates a keyboard interrupt when a key is pressed. The keyboard driver transforms this interrupt to a system defined messasge and then puts it into the system level message queue. The operating system passes this message to the application level message queue of that specified focused application. In this process, keyloggers employ very low level operating system calls, such as GetKeyBoardState or GetAsyncKeyState, to intercept keystroke messages . So the keyloggers see everything whenever a key is pressed.
The keystroke agent simulates keyboard event completely by invoking system kernel (keybd_event).A keylogger tracks keystrokes from all applications, it will not be able to distinguish the simulated keystrokes from the real keystrokes. When keystrokes are generated frequently, the keylogger has to perform more file access and communication behaviors in order to log/ send plentiful keys.
2) CORRELATION PHASE
To identify keylogger applications, DCA correlates API calls generated by all running applications. In order to obtain the API calls, implement a hook program to monitor three types of function calls:
• Keystroke Tracking: GetKeyboardState, GetAsyncKeyState and GetKeyNameText
• File Access: CreateFile, OpenFile, ReadFile and WriteFile
• Communication: socket, send, recv, sendto and recvfrom
Though these API functions are often employed by keyloggers to implement their keylogging, it may form part of legitimate usage. Therefore, an intelligent correlation method is required to determine the invocations of such functions are anomalous or not. Signals
Five signals, namely one PAMP signal(PAMP), two danger signals(DS) and two safe signals(SS), are used for the input of the DCA.
PAMP is a signature based signal derived from the rate of keyboard tracking function calls. A large number of these function calls indicate the potential existence of a keylogger.
Danger signal is a measure of an attribute which increases in value to indicate an abnormality. Low values
of this signal may not be anomalous.
DS-1 is derived from the time difference (Δt1) between two consecutive WriteFile function calls. Because a keylogger saves the keystrokes captured to log files continuously, a small Δt1 will be observed.
DS-2 is derived from the correlation between different categories of function calls. Based on the behavioral characteristics of keyloggers, we generate this signal when file access or communication functions are invoked shortly after the invocations of keyboard tracking functions.
Safe signal is a confident indicator of normal or steady state system behavior. This signal is used to counteract the effects of PAMP and danger signals.
SS-1 is derived from the time difference (Δt2) between two outgoing consecutive communication functions including send, sendto and socket functions.
SS-2 is derived from the small amount of the keyboard tracking function calls within a specified time-window. As legitimate applications such as notepad or WordPad invoke much fewer keyboard tracking functions than keyloggers. So, small amount of invocations is considered to be safe in the host.
Antigens are potential culprits responsible for any observed changes in the status of the system. As any process executed one of the selected API functions, the process id (PID) which causes the calls and thus generates signals is defined as antigens. Observing which processes are active when signal context is danger, the DCA can find the existing keylogger in the system.
III. CONCLUSION
This paper proposed an induction-correlation framework for keylogger detection. keystroke simulation raises the frequency of the keystrokes, and thus induces keyloggers to produce more malicious behaviours. Then the amplified behaviours are correlated by the DCA in order to find the keylogger process as early as possible to reduce the loss of privacies.It also uses an encryption algorithm to encrypt the log file which contains the recorded keystrokes.