Abstract
Behavior-based Spyware Detection
by: Greg Banks, Giovanni Vigna, and Richard A. Kemmerer
Abstract:
Spyware is rapidly becoming a ma jor security issue. Spyware programs are surreptitiously installed on a users workstation to monitor his/her actions and gather private information about a users behavior. Current anti-spyware tools operate in a way similar to traditional anti-virus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations.
This paper presents a novel technique for spyware detection that is based on the characterization of spyware-like behavior. The technique is tailored to a popular class of spyware applications that use Internet Ex- plorers Browser Helper Ob ject (BHO) and toolbar interfaces to monitor a users browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events is to be considered mali- cious. The evaluation of our technique on a representative set of spyware samples shows that it is possible to reliably identify malicious components using an abstract behavioral characterization.
Keywords:
spyware, malware detection, static analysis, dynamic analysis.
Date:
February 2006
Document: 2006-03
