15th USENIX Security Symposium Abstract
Pp. 273288 of the Proceedings
Behavior-based Spyware Detection
Engin Kirda and Christopher Kruegel, Technical University Vienna;
Greg Banks, Giovanni Vigna, and Richard A. Kemmerer, University of California, Santa Barbara
Spyware is rapidly becoming a major security issue.
Spyware programs are surreptitiously installed on a
user's workstation to monitor his/her actions and gather
private information about a user's behavior. Current antispyware
tools operate in a way similar to traditional antivirus
tools, where signatures associated with known spyware
programs are checked against newly-installed applications.
Unfortunately, these techniques are very easy
to evade by using simple obfuscation transformations.
This paper presents a novel technique for spyware detection
that is based on the characterization of spywarelike
behavior. The technique is tailored to a popular
class of spyware applications that use Internet Explorer's
Browser Helper Object (BHO) and toolbar interfaces to
monitor a user's browsing behavior. Our technique uses a
composition of static and dynamic analysis to determine
whether the behavior of BHOs and toolbars in response
to simulated browser events should be considered malicious.
The evaluation of our technique on a representative
set of spyware samples shows that it is possible to
reliably identify malicious components using an abstract
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.