Keylogger Detection Using a Decoy Keyboard Seth Simms, Margot Maxwell, Sara Johnson, Julian Rrushi

Publication

Summary Background

Approach

To perform effectively, commercial anti-malware systems rely on having previously encountered and analyzed known malware. These methods are insufficient at capturing: • zero-day or zero-knowledge malware (for which the system has no prior experience) • malware that has the ability to modify or interfere with the computer system’s tracking software The defensive cyber deception approach in this research utilizes a decoy keyboard to receive contact from keylogger malware in a way that leads to unequivocal detection. This is advantageous in that: • the decoy keyboard is effectively invisible to the user and cannot interfere with their activities • appears as a standard USB keyboard in the windows device tree and is thus indistinguishable to malware from a real keyboard • misdirects malware into intercepting artificial keystrokes, thus proactively protecting the user • does not rely on previous encounters with the malware to perform effectively

Our approach operates through the use of a decoy keyboard. The approach consists of utilizing a pair of drivers (a driver is a piece of software that lets I/O devices, such as keyboards and mice, communicate with a computer): • a low-level driver to emulate keystrokes (based on a statistical model of the typing profiles of real users) • a kernel filter driver to enable the decoy keyboard to shadow the physical keyboard (ie. only a single keyboard appears on the device tree at all times) The kernel filter driver allows for the decoy keyboard to run only during time windows of user inactivity. Malware is detected when data leaked by the decoy keyboard is used to access resources on the compromised machine. We tested our approach against live malware samples that we obtained from public repositories. Results demonstrate that the decoy keyboard is able to detect zero-day malware and can co-exist with a real keyboard on a computer in production without causing any disruptions to the user’s work.

Our paper, “Keylogger Detection using a Decoy Keyboard” has been accepted to DBSec2017. DBSec is an international conference that occurs annually, covering research in data and applications security and privacy. It will be published by Springer in the Lecture Notes in Computer Science series.

Related Works Existing deception and decoy tactics include the use of honeypots and honeyfiles, decoy machines and files designed to entice and trap attackers. However, machines that employ these tactics are not operational to users. There has been substantial research into the use of keystroke dynamics, as well. However, the focus of the majority of this research is on user authentication instead of keystroke generation. A full exploration of related works, including citations, is available in the paper.

Models & Implementation Methods Digraph Histogram

Human Keystroke Dynamics

Frequency

20 15 10 5 0

38

69

5 2 .6

10

5 2 . 2

5 7 8 .

.5 4 6

5

1 2 3 19 1 Time (ms)

2 1 . 6

22

5 7 . 7

5

7 3 . 9

25

Figure 1. Distribution of timing data for a single digraph.

e or M

To simulate the keystrokes of an authentic (human) user, we constructed a model that emulates the approximate speed and rhythm of a person’s keystroke pattern. We chose a model that uses digraphs (the timing between two consecutive keypresses) based on actual users to generate artificial output. Digraphs simply, but accurately, summarize keystroke data while minimizing computational overhead. (8, 44) 250 The model itself consists of the mean time in milliseconds and the sam(17, 7) (23, 11) 200 ple standard deviation for each possible key combination (Figure 1).The decoy driver generates a random delay between fake keypresses to bet150 ter emulate a real person’s typing pattern (refer to Figure 2 for visual 100 (17, 44) (44, 23) for comparison of three users’ keystroke digraph timings). 50

Low-Level Deception Keyboard (DK) Driver

0

On startup, the client processes the model and initializes a normal distribution function for each digraph using the mean and standard deviation in combination with a cryptographically secure random number generator. Keystrokes are sent by the driver one at a time; each key event is an individual action. Arbitrary text/keycodes are taken as input and then processed by the client, and for each pair of keys encountered, the appropriate distribution is used to randomly generate a time value that falls within the range as defined by the model. That value is used as the delay between sending the two key events. The decoy keyboard (DK) driver is shown in the driver stack diagram of Figure 3.

Keyboard Shadowing Mechanism To maintain invisibility to the user and avoid suspicion from perceptive malware, the decoy keyboard is required to operate only when the user is not typing on the real keyboard. The kshadow mechanism: • detects the time windows during which the user is not typing any keys on the real keyboard • signals the decoy keyboard driver when a time window of inactivity begins, and again when it ends When a time window opens the decoy driver starts typing when a time window closes the decoy driver stops typing and goes to sleep. Only one keyboard is discoverable at any time on the computer, with characteristics that match those of the physical keyboard. In this way, the decoy keyboard driver is protected from interfering with the use of the computer by a normal user. This dynamic is visually described in Figure 3.

(12, 17)

(11, 8)

(22, 44)

(7, 44) (44, 4)

Figure 2. Comparing the digraph model of three users. I/O Manager

FDO

DrvObj: kbdclass.sys

FiDO

DrvObj: kshadow.sys

FDO

DrvObj: kbdhid.sys

PDO

DrvObj: hidclass.sys

Keyboard class driver

kshadow

Keyboard HID client mapper driver

DK driver

HID class driver

HID Transport

Hardware

Figure 3. Integration of keyboard shadowing with the driver stack of an HID keyboard.

Testing & Results To test the effectiveness of this approach, the driver package was installed and run on a 64-bit computer running the Windows 10 operating system. The testing conditions involved the evaluation of: • the ability of the decoy keyboard to co-exist with a real keyboard • the effectiveness of the driver when subjected to 50 malware samples • the level of interference with extended & varying user activity The computer’s screen saver and power saving mode appeared to be affected by the operation of the decoy keyboard, and slight delays when switching between the user’s keyboard and the decoy keyboard were also noted. There were no other observable anomalies. The decoy keyboard showed to be effective against all malware samples that intercepted and logged the decoy driver’s artificial keystrokes.

Summary Models & Implementation Methods Testing ...

Seth Simms, Margot Maxwell, Sara Johnson, Julian Rrushi. Summary. Models & Implementation Methods. Testing & Results ... I/O Manager. Hardware. HID.
Download PDF
223KB Sizes 1 Downloads 189 Views
Report

Recommend Documents

Symbol Implementation in Software Testing
“Software testing is an exploration accompanied to provide sponsors with information about the superiority of the product or provision under test. ... culture of software development, a challenging association may be separate from the expansion tea
Extracting Methods to Simplify Testing
Jun 13, 2007 - When a method is long and complex, it is harder to test. ... can be done for you automatically in Python by the open-source refactoring browser.
Testing Computational Models of Dopamine and ... - CiteSeerX
performance task, ADHD participants showed reduced sensitivity to working memory contextual ..... perform better than chance levels during the test phase2.
Testing Computational Models of Dopamine and ... - CiteSeerX
Over the course of training, participants learn to choose stimuli A, C and ..... observed when distractors are presented during the delay period, in which case BG.
Applying Models in your Testing Process - GEOCITIES.ws
This category also includes test runners that call API functions in ... by ALT-S. • After the menu is activated, press F, which brings up the Font dialog box ...... the Software Testing Analysis and Review Conference, San Jose, CA, Nov. 1999. 3.
FORTEST: Formal Methods and Testing
requires the application of a battery of such techniques. Two of the most ...... ization of existing testing criteria [54] to help eliminate mis- understanding and in the ...
Extracting Methods to Simplify Testing Code
Jun 13, 2007 - BicycleRepairMan, and in Java by several IDEs, including IntelliJ IDEA and Eclipse.) More information, discussion, and archives:.
Summary of changes to the 'External guidance on the implementation ...
Apr 12, 2017 - indication application submitted in the context of regulatory procedures not ... are able to identify validation non-compliance at an early stage. 2.
Spatial dependence models: estimation and testing -
Course Index. ▫ S1: Introduction to spatial ..... S S. SqCorr Corr y y. = = ( ). 2. ,. IC. L f k N. = − +. 2. 2. ' ln 2 ln. 0, 5. 2. 2 n n. e e. L π σ σ. = −. −. −. ( ),. 2 f N k k. = ( ).
Testing Beta-Pricing Models Using Large Cross-Sections
Mar 27, 2017 - rial College Business School, e-mail: [email protected]; Paolo Zaffaroni, Imperial College Business School, e-mail: ... providing an extremely rich information set to estimate asset pricing models.1 Although we have about a hund
Testing Computational Models of Dopamine and ...
2 Dept of Psychology and Center for Neuroscience, University of Colorado at Boulder ... Robinson-Johnson & Sena Hitt-Laustsen for help in data collec- tion/subject recruitment. .... tus, Guido, & Levey, 1998; Cragg, Hille, & Greenfield,. 2002).
Testing Computational Models of Dopamine and ...
negative (NoGo) reinforcement learning, only the former deficits were ameliorated by medication. ... doi:10.1038/sj.npp.1301278; published online 13 December 2006 ... common childhood-onset psychiatric condition character- ... Program in Neuroscience
Implementation and Comparison of Solution Methods ...
tion methods such as structured policy iteration or SPUDD. [Boutilier et al. ... influence of various factors such as the structure and degree ..... 1:Unstructured). 0.1.
Standard Test Methods for Tension Testing of Metallic Materials.pdf
Astm E 8M 04 - Standard Test Methods for Tension Testing of Metallic Materials.pdf. Astm E 8M 04 - Standard Test Methods for Tension Testing of Metallic ...
The appropriateness of statistical methods for testing ...
P4. P6. Table Aa. P8. Structure. P8. P6. P4. P10 a The indices denote the level of organizational performance. P2. P2. Low. High. High. Low. Contingency. P8.
Testing Speaking: Methods, Techniques and Tips Tim ...
Tim Dalby (Jeonju University) ... Formative assessment, such as this, can allow a teacher to modify the course ... To have good construct validity, there needs ... rater training so that all examiners are clear in the use of the marking criteria.
Standard Test Methods for Tension Testing of Metallic Materials.pdf
Astm E 8M 04 - Standard Test Methods for Tension Testing of Metallic Materials.pdf. Astm E 8M 04 - Standard Test Methods for Tension Testing of Metallic ...
Ebook A Primer on PDEs: Models, Methods ... - WordPress.com
This is not as the various other website; guides will .... will certainly alleviate you to pick and also pick the very best collective books from the most desired seller ...