The Experts below are selected from a list of 2805 Experts worldwide ranked by ideXlab platform
Sy-yen Kuo - One of the best experts on this subject based on the ideXlab platform.
-
examining web based Spyware invasion with stateful behavior monitoring
Pacific Rim International Symposium on Dependable Computing, 2007Co-Authors: Sy-yen KuoAbstract:Spyware infection that exploits the vulnerabilities of client-side Web application, especially browser, to install malicious programs has gain significant popularity in recent years. Unlike traditional infection vectors such as software bundling in shareware/freeware and placing Trojan in pirated version of commercial software that generally requires user consent to be successfully installed, Web-based Spyware attempts exploits on browser vulnerabilities to achieve automatic installation (a.k.a. drive-by download). In this paper, we characterize the behavior of Spyware instances collected from software bundling and of those collected from exploit Web pages in terms of auto-start extensibility points (ASEP) and other Spyware behaviors. We use a tool called STARS (Stateful Threat-Aware Removal System) that can monitor critical areas of the system and detect advanced feature of a Spyware instance such as self- healing. Experimental results show that traditional Spyware and Web-based Spyware used a different combination set of ASEP to resist deletion. The latter one hooks to low-level system components and loaded as services and/or drivers employing Layered Service Provider (LSP) to interpret network traffic. Our observations identify the unique behaviors performed by the Web-based Spyware that are rarely found on traditional Spyware.
-
Self-Healing Spyware: Detection, and Remediation
IEEE Transactions on Reliability, 2007Co-Authors: Yi-min Wang, Sy-yen Kuo, Yennun HuangAbstract:Spyware has become a significant threat to most Internet users as it introduces serious privacy disclosure, and potential security breach to the systems. It has not only utilized critical areas of the computer system to survive reboots, but also grown resilient against current anti-Spyware tools; they are capable of self-healing themselves against deletion. Because existing anti-Spyware tools are stateless in the sense that they do not remember or monitor the Spyware programs that were deleted, they fail to remove self-healing Spyware from the system completely. This paper proposes a stateful approach that is based on characterizing Spyware invasion as a trust information flow problem, and implements STARS (stateful threat-aware removal system), which is a tool that at run time monitors critical system behaviors, and ensures that removed Spyware programs do not reinstall themselves, to enforce information flow policy in the system. If a reinstallation (self-healing) is detected, STARS infers the source of such activities, and discovers additional ldquosuspiciousrdquo programs. Experimental results show that STARS is effective in removing self-healing Spyware programs that resist removal by existing anti-Spyware tools.
-
PRDC - Examining Web-Based Spyware Invasion with Stateful Behavior Monitoring
13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007Co-Authors: Sy-yen KuoAbstract:Spyware infection that exploits the vulnerabilities of client-side Web application, especially browser, to install malicious programs has gain significant popularity in recent years. Unlike traditional infection vectors such as software bundling in shareware/freeware and placing Trojan in pirated version of commercial software that generally requires user consent to be successfully installed, Web-based Spyware attempts exploits on browser vulnerabilities to achieve automatic installation (a.k.a. drive-by download). In this paper, we characterize the behavior of Spyware instances collected from software bundling and of those collected from exploit Web pages in terms of auto-start extensibility points (ASEP) and other Spyware behaviors. We use a tool called STARS (Stateful Threat-Aware Removal System) that can monitor critical areas of the system and detect advanced feature of a Spyware instance such as self- healing. Experimental results show that traditional Spyware and Web-based Spyware used a different combination set of ASEP to resist deletion. The latter one hooks to low-level system components and loaded as services and/or drivers employing Layered Service Provider (LSP) to interpret network traffic. Our observations identify the unique behaviors performed by the Web-based Spyware that are rarely found on traditional Spyware.
-
PRDC - A Stateful Approach to Spyware Detection and Removal
2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC'06), 2006Co-Authors: Yennun Huang, Yi-min Wang, Sy-yen KuoAbstract:Spyware, a type of potentially unwanted programs (PUPs), has become a significant threat to most Internet users as it introduces serious privacy disclosure and potential security breach to the systems. Current anti-Spyware tools use signatures to detect Spyware programs. Over time, Spyware programs have grown more resilient to this technique; they utilize critical areas of the system to survive reboots and set up mini-installers that re-install a Spyware program after it's been detected and removed. Since existing anti-Spyware tools are stateless in the sense that they do not remember and monitor the Spyware programs that were removed, they fail to permanently remove these self-healing Spyware programs. This paper proposes STARS (Stateful Threat-Aware Removal System): a tool that at run time intercepts critical system accesses and assures removed Spyware does not re-install itself after a successful removal of Spyware program in the system. If a re-installation (self-healing) is detected, STARS infers the source of such activities and discovers additional "suspicious" programs. Experimental results show that STARS is effective in removing self-healing Spyware programs that existing anti-Spyware tools fail to do.
-
LISA - Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management
2004Co-Authors: Yi-min Wang, Yennun Huang, Roussi Roussev, Chad Verbowski, Aaron R. Johnson, Sy-yen KuoAbstract:Spyware is a rapidly spreading problem for PC users causing significant impact on system stability and privacy concerns. It attaches to extensibility points in the system to ensure the Spyware will be instantiated when the system starts. Users may willingly install free versions of software containing Spyware as an alternative to paying for it. Traditional anti-virus techniques are less effective in this scenario because they lack the context to decide if the Spyware should be removed.In this paper, we introduce Auto-Start Extensibility Points (ASEPs) as the key concept for modeling the Spyware problem. By monitoring and grouping "hooking" operations made to the ASEPs, our Gatekeeper solution complements the traditional signature-based approach and provides a comprehensive framework for Spyware management. We present ASEP hooking statistics for 120 real-world Spyware programs. We also describe several techniques for discovering new ASEPs to further enhance the effectiveness of our solution.
Madhusudhanan Chandrasekaran - One of the best experts on this subject based on the ideXlab platform.
-
SpyCon: Emulating user activities to detect evasive Spyware
Conference Proceedings of the IEEE International Performance Computing and Communications Conference, 2007Co-Authors: Madhusudhanan Chandrasekaran, S. Vidyaraman, SAURAV UPADHYAYAAbstract:The success of any Spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of Spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-Spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks Spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of Spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-Spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-Spyware solution.
-
IPCCC - SpyCon: Emulating User Activities to Detect Evasive Spyware
2007 IEEE International Performance Computing and Communications Conference, 2007Co-Authors: Madhusudhanan Chandrasekaran, S. Vidyaraman, Shambhu UpadhyayaAbstract:The success of any Spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of Spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-Spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks Spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of Spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-Spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-Spyware solution.
Michael R Lyu - One of the best experts on this subject based on the ideXlab platform.
-
spyaware investigating the privacy leakage signatures in app execution traces
International Symposium on Software Reliability Engineering, 2015Co-Authors: Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R LyuAbstract:A new security problem on smartphones is the wide spread of Spyware nested in apps, which occasionally and silently collects user's private data in the background. The state-of-the-art work for privacy leakage detection is dynamic taint analysis, which, however, suffers usability issues because it requires flashing a customized system image to track the taint propagation and consequently incurs great overhead. Through a real-world privacy leakage case study, we observe that the Spyware behaviors share some common features during execution, which may further indicate a correlation between the data flow of privacy leakage and some specific features of program execution traces. In this work, we examine such a hypothesis using the newly proposed SpyAware framework, together with a customized TaintDroid as the ground truth. SpyAware includes a profiler to automatically profile app executions in binder calls and system calls, a feature extractor to extract feature vectors from execution traces, and a classifier to train and predict Spyware executions based on the feature vectors. We conduct an evaluation experiment with 100 popular apps downloaded from Google Play. Experimental results show that our approach can achieve promising performance with 67.4% accuracy in detecting device id Spyware executions and 78.4% in recognizing location Spyware executions.
-
ISSRE - SpyAware: Investigating the privacy leakage signatures in app execution traces
2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), 2015Co-Authors: Yangfan Zhou, Cuiyun Gao, Yu Kang, Michael R LyuAbstract:A new security problem on smartphones is the wide spread of Spyware nested in apps, which occasionally and silently collects user's private data in the background. The state-of-the-art work for privacy leakage detection is dynamic taint analysis, which, however, suffers usability issues because it requires flashing a customized system image to track the taint propagation and consequently incurs great overhead. Through a real-world privacy leakage case study, we observe that the Spyware behaviors share some common features during execution, which may further indicate a correlation between the data flow of privacy leakage and some specific features of program execution traces. In this work, we examine such a hypothesis using the newly proposed SpyAware framework, together with a customized TaintDroid as the ground truth. SpyAware includes a profiler to automatically profile app executions in binder calls and system calls, a feature extractor to extract feature vectors from execution traces, and a classifier to train and predict Spyware executions based on the feature vectors. We conduct an evaluation experiment with 100 popular apps downloaded from Google Play. Experimental results show that our approach can achieve promising performance with 67.4% accuracy in detecting device id Spyware executions and 78.4% in recognizing location Spyware executions.
Engin Kirda - One of the best experts on this subject based on the ideXlab platform.
-
automated Spyware collection and analysis
International Conference on Information Security, 2009Co-Authors: Andreas Stamminger, Giovanni Vigna, Christopher Kruegel, Engin KirdaAbstract:Various online studies on the prevalence of Spyware attest overwhelming numbers (up to 80%) of infected home computers. However, the term Spyware is ambiguous and can refer to anything from plug-ins that display advertisements to software that records and leaks user input. To shed light on the true nature of the Spyware problem, a recent measurement paper attempted to quantify the extent of Spyware on the Internet. More precisely, the authors crawled the web and analyzed the executables that were downloaded. For this analysis, only a single anti-Spyware tool was used. Unfortunately, this is a major shortcoming as the results from this single tool neither capture the actual amount of the threat, nor appropriately classify the functionality of suspicious executables in many cases. For our analysis, we developed a fully-automated infrastructure to collect and install executables from the web. We use three different techniques to analyze these programs: an online database of Spyware-related identifiers, signature-based scanners, and a behavior-based malware detection technique. We present the results of a measurement study that lasted about ten months. During this time, we crawled over 15 million URLs and downloaded 35,853 executables. Almost half of the Spyware samples we found were not recognized by the tool used in previous work. Moreover, a significant fraction of the analyzed programs (more than 80%) was incorrectly classified. This underlines that our measurement results are more comprehensive and precise than those of previous approaches, allowing us to draw a more accurate picture of the Spyware threat.
-
ISC - Automated Spyware Collection and Analysis
Lecture Notes in Computer Science, 2009Co-Authors: Andreas Stamminger, Giovanni Vigna, Christopher Kruegel, Engin KirdaAbstract:Various online studies on the prevalence of Spyware attest overwhelming numbers (up to 80%) of infected home computers. However, the term Spyware is ambiguous and can refer to anything from plug-ins that display advertisements to software that records and leaks user input. To shed light on the true nature of the Spyware problem, a recent measurement paper attempted to quantify the extent of Spyware on the Internet. More precisely, the authors crawled the web and analyzed the executables that were downloaded. For this analysis, only a single anti-Spyware tool was used. Unfortunately, this is a major shortcoming as the results from this single tool neither capture the actual amount of the threat, nor appropriately classify the functionality of suspicious executables in many cases. For our analysis, we developed a fully-automated infrastructure to collect and install executables from the web. We use three different techniques to analyze these programs: an online database of Spyware-related identifiers, signature-based scanners, and a behavior-based malware detection technique. We present the results of a measurement study that lasted about ten months. During this time, we crawled over 15 million URLs and downloaded 35,853 executables. Almost half of the Spyware samples we found were not recognized by the tool used in previous work. Moreover, a significant fraction of the analyzed programs (more than 80%) was incorrectly classified. This underlines that our measurement results are more comprehensive and precise than those of previous approaches, allowing us to draw a more accurate picture of the Spyware threat.
-
USENIX Annual Technical Conference - Dynamic Spyware analysis
2007Co-Authors: Manuel Egele, Engin Kirda, Christopher Kruegel, Heng Yin, Dawn SongAbstract:Spyware is a class of malicious code that is surreptitiously installed on victims' machines. Once active, it silently monitors the behavior of users, records their web surfing habits, and steals their passwords. Current anti-Spyware tools operate in a way similar to traditional virus scanners. That is, they check unknown programs against signatures associated with known Spyware instances. Unfortunately, these techniques cannot identify novel Spyware, require frequent updates to signature databases, and are easy to evade by code obfuscation. In this paper, we present a novel dynamic analysis approach that precisely tracks the flow of sensitive information as it is processed by the web browser and any loaded browser helper objects. Using the results of our analysis, we can identify unknown components as Spyware and provide comprehensive reports on their behavior. The techniques presented in this paper address limitations of our previouswork on Spyware detection and significantly improve the quality and richness of our analysis. In particular, our approach allows a human analyst to observe the actual flows of sensitive data in the system. Based on this information, it is possible to precisely determine which sensitive data is accessed and where this data is sent to. To demonstrate the effectiveness of the detection and the comprehensiveness of the generated reports, we evaluated our system on a substantial body of Spyware and benign samples.
-
dynamic Spyware analysis
USENIX Annual Technical Conference, 2007Co-Authors: Manuel Egele, Engin Kirda, Christopher Kruegel, Dawn SongAbstract:Spyware is a class of malicious code that is surreptitiously installed on victims' machines. Once active, it silently monitors the behavior of users, records their web surfing habits, and steals their passwords. Current anti-Spyware tools operate in a way similar to traditional virus scanners. That is, they check unknown programs against signatures associated with known Spyware instances. Unfortunately, these techniques cannot identify novel Spyware, require frequent updates to signature databases, and are easy to evade by code obfuscation. In this paper, we present a novel dynamic analysis approach that precisely tracks the flow of sensitive information as it is processed by the web browser and any loaded browser helper objects. Using the results of our analysis, we can identify unknown components as Spyware and provide comprehensive reports on their behavior. The techniques presented in this paper address limitations of our previouswork on Spyware detection and significantly improve the quality and richness of our analysis. In particular, our approach allows a human analyst to observe the actual flows of sensitive data in the system. Based on this information, it is possible to precisely determine which sensitive data is accessed and where this data is sent to. To demonstrate the effectiveness of the detection and the comprehensiveness of the generated reports, we evaluated our system on a substantial body of Spyware and benign samples.
-
USENIX Security Symposium - Behavior-based Spyware detection
2006Co-Authors: Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, Richard A. KemmererAbstract:Spyware is rapidly becoming a major security issue. Spyware programs are surreptitiously installed on a user's workstation to monitor his/her actions and gather private information about a user's behavior. Current antiSpyware tools operate in a way similar to traditional antivirus tools, where signatures associated with known Spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations. This paper presents a novel technique for Spyware detection that is based on the characterization of Spywarelike behavior. The technique is tailored to a popular class of Spyware applications that use Internet Explorer's Browser Helper Object (BHO) and toolbar interfaces to monitor a user's browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. The evaluation of our technique on a representative set of Spyware samples show that it is possible to reliably identify malicious components using an abstract behavioral characterization.
Shambhu Upadhyaya - One of the best experts on this subject based on the ideXlab platform.
-
IPCCC - SpyCon: Emulating User Activities to Detect Evasive Spyware
2007 IEEE International Performance Computing and Communications Conference, 2007Co-Authors: Madhusudhanan Chandrasekaran, S. Vidyaraman, Shambhu UpadhyayaAbstract:The success of any Spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of Spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-Spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks Spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of Spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-Spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-Spyware solution.
