KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware

S. Ortolani, C. Giuffrida, B. Crispo

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Privacy-breaching malware is an ever-growing class of malicious applications that attempt to steal confidential data and leak them to third parties. One of the most prominent activities to acquire private user information is to eavesdrop and harvest user-issued keystrokes. Despite the serious threat involved, keylogging activities are challenging to detect in the general case. From an operating system perspective, their general behavior is no different than that of legitimate applications used to implement common end-user features like custom shortcut handling and keyboard remapping. As a result, existing detection techniques that attempt to model malware behavior based on system or library calls are largely ineffective. To address these concerns, we introduce a novel detection technique based on fine-grained profiling of memory write patterns. The intuition behind our model lies in data harvesting being a good predictor for sensitive information leakage. To demonstrate the viability of our approach, we have designed and implemented KLIMAX: a Kernel-Level Infrastructure for Memory and eXecution profiling. Our system supports proactive and reactive detection and can be transparently deployed online on a running Windows platform. Experimental results with real-world malware confirm the effectiveness of our approach.
Original languageEnglish
Title of host publicationProceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011)
Publication statusPublished - 2011

Publication series

NameLecture Notes in Computer Science


Dive into the research topics of 'KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware'. Together they form a unique fingerprint.

Cite this