Unprivileged Black-Box Detection of User-space Keyloggers

S. Ortolani, C. Giuffrida, B. Crispo

Research output: Contribution to JournalArticleAcademicpeer-review

Abstract

Software keyloggers are a fast growing class of invasive software often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes typed by the users of a system. The ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows one to understand and model their behavior in detail. Leveraging this characteristic, we propose a new detection technique that simulates carefully crafted keystroke sequences in input and observes the behavior of the keylogger in output to unambiguously identify it among all the running processes. We have prototyped our technique as an unprivileged application, hence matching the same ease of deployment of a keylogger executing in unprivileged mode. We have successfully evaluated the underlying technique against the most common free keyloggers. This confirms the viability of our approach in practical scenarios. We have also devised potential evasion techniques that may be adopted to circumvent our approach and proposed a heuristic to strengthen the effectiveness of our solution against more elaborated attacks. Extensive experimental results confirm that our technique is robust to both false positives and false negatives in realistic settings. © 2004-2012 IEEE.
Original languageEnglish
Pages (from-to)40-52
JournalIEEE Transactions on Dependable and Secure Computing
Early online date10 Sept 2012
DOIs
Publication statusPublished - 2012

Fingerprint

Dive into the research topics of 'Unprivileged Black-Box Detection of User-space Keyloggers'. Together they form a unique fingerprint.

Cite this