Portal de Periódicos da CAPES

SpyCon: Emulating User Activities to Detect Evasive Spyware

2007; Institute of Electrical and Electronics Engineers; Linguagem: Inglês

10.1109/pccc.2007.358933

2374-9628

M. Chandrasekaran, S. Vidyaraman, Shambhu Upadhyaya,

Network Security and Intrusion Detection

The success of any spyware is determined by its ability to evade detection. Although traditional detection methodologies employing signature and anomaly based systems have had reasonable success, new class of spyware programs emerge which blend in with user activities to avoid detection. One of the latest anti-spyware technologies consists of a local agent that generates honeytokens of known parameters (e.g., network access requests) and tricks spyware into assuming it to be legitimate activity. In this paper, as a first step, we address the deficiencies of static honeytoken generation and present an attack that circumvents such detection techniques. We synthesize the attack by means of data mining algorithms like associative rule mining. Next, we present a randomized honeytoken generation mechanism to address this new class of spyware. Experimental results show that (i) static honeytokens are detected with near 100% accuracy, thereby defeating the state-of-the-art anti-spyware technique, (ii) randomized honeytoken generation mechanism is an effective anti-spyware solution.