skip to main content
10.1145/2664243.2664270acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

TroGuard: context-aware protection against web-based socially engineered trojans

Published: 08 December 2014 Publication History

Abstract

Despite the increasing number of social engineering attacks through web browser applications, detection of socially engineered trojan downloads by enticed victim users remains a challenging endeavor. In this paper, we present TroGuard, a semi-automated web-based trojan detection solution, that notifies the user if the application she downloaded behaves differently than what she expected at download time. TroGuard builds on the hypothesis that in spite of millions of currently downloadable executables on the Internet, almost all of them provide functionalities from a limited set. Additionally, because each functionality, e.g., text editor, requires particular system resources, it exhibits a unique system-level activity pattern. During an offline process, TroGuard creates a profile dictionary of various functionalities. This profile dictionary is then used to warn the user if she downloads an executable whose observed activity does not match its advertised functionality (extracted through automated analysis of the download website). Our experimental results prove the above mentioned premise empirically and show that TroGuard can identify real-world socially engineered trojan download attacks effectively.

References

[1]
Trojanhunter; available at www.trojanhunter.com, 2013.
[2]
R. G. Anjoy and S. K. Chakraborty. Efficiency of lttng as a kernel and userspace tracer on multicore environment. Technical report, 2010.
[3]
S. Arlot and M. Lerasle. V-fold cross-validation and v-fold penalization in least-squares density estimation. 2012.
[4]
U. Bayer, P. M. Comparetti, C. Hlauschek, C. Krügel, and E. Kirda. Scalable, behavior-based malware clustering. In NDSS. The Internet Society, 2009.
[5]
U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'09, pages 8--8, Berkeley, CA, USA, 2009. USENIX Association.
[6]
N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 7--7, Berkeley, CA, USA, 2012. USENIX Association.
[7]
M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 5--14, 2007.
[8]
S.-Y. Dai, Y. Fyodor, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Holography: a behavior-based profiler for malware analysis. Software: Practice and Experience, 42(9):1107--1136, 2012.
[9]
P. J. Denning and R. D. Riehle. The profession of it is software engineering engineering? Communications of the ACM, 52(3):24--26, 2009.
[10]
M. Desnoyers and M. Dagenais. The lttng tracer: A low impact performance and behavior monitor for gnu/linux. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, pages 354--359. ACM, 2012.
[11]
L. Garber. Security, privacy, and policy roundup. IEEE Security & Privacy, pages 15--17, 2012.
[12]
M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10--18, 2009.
[13]
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.
[14]
C. Kuo, F. Schneider, C. Jackson, D. Mountain, and T. Winograd. Google safe browsing. project at google. Inc., June--August, 2005.
[15]
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 399--412, New York, NY, USA, 2010. ACM.
[16]
T. LEE, J. J. MODY, Y. L. LIN, A. M. MARINESCU, and A. A. POLYAKOV. Application behavioral classification, 06 2007.
[17]
D. Lo, H. Cheng, J. Han, S.-C. Khoo, and C. Sun. Classification of software behaviors for failure detection: a discriminative pattern mining approach. In Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, KDD '09, pages 557--566, New York, NY, USA, 2009. ACM.
[18]
L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: an attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 440--450, New York, NY, USA, 2010. ACM.
[19]
T. malicious programs for Mac OS X. Mcafee antivirus solution; available at http://www.securelist.com, 2012.
[20]
D. Maynor. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress, 2007.
[21]
McAfee. Mcafee antivirus solution; available at http://www.mcafee.com, 2013.
[22]
A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP '07, pages 231--245, Washington, DC, USA, 2007. IEEE Computer Society.
[23]
R. Naraine. Adobe: Beware of fake flash downloads; available at http://www.zdnet.com, 2008.
[24]
Y. Okazaki, I. Sato, and S. Goto. A new intrusion detection method based on process profiling. In Applications and the Internet, 2002. (SAINT 2002). Proceedings. 2002 Symposium on, pages 82--90, 2002.
[25]
K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 108--125, Berlin, Heidelberg, 2008. Springer-Verlag.
[26]
K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. J. Comput. Secur., 19(4):639--668, dec 2011.
[27]
J. H. Saltzer and F. Kaashoek. Principles of computer system design: an introduction. Morgan Kaufmann Pub, 2009.
[28]
R. Smith. An overview of the tesseract ocr engine. In Proc. Ninth Int. Conference on Document Analysis and Recognition (ICDAR), pages 629--633, 2007.
[29]
D. Toupin. Using tracing to diagnose or monitor systems. Software, IEEE, 28(1):87--91, 2011.
[30]
Wikipedia. Computer keyboard---Wikipedia, the free encyclopedia, 2013.
[31]
J. Zhang and R. J. Figueiredo. Application classification through monitoring and learning of resource consumption patterns. In Proceedings of the 20th international conference on Parallel and distributed processing, IPDPS'06, pages 144--144, Washington, DC, USA, 2006. IEEE Computer Society.
[32]
E. Zini. A cute introduction to debtags. In Proceedings of the 5th annual Debian Conference, pages 59--74, 2005.
  1. TroGuard: context-aware protection against web-based socially engineered trojans

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference
    December 2014
    492 pages
    ISBN:9781450330053
    DOI:10.1145/2664243
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 08 December 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    ACSAC '14
    Sponsor:
    • ACSA
    ACSAC '14: Annual Computer Security Applications Conference
    December 8 - 12, 2014
    Louisiana, New Orleans, USA

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 213
      Total Downloads
    • Downloads (Last 12 months)4
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media