Conference Paper

Hunting Trojan Horses

DOI: 10.1145/1181309.1181312 Conference: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, ASID 2006, San Jose, California, USA, October 21, 2006
Source: DBLP


Abstract In this report we present HTH (Hunting Trojan Horses), a security framework for detecting Trojan Horses and Backdoors. The framework,is composed,of two main,parts: 1) Harrier – an application,security monitor,that performs,run-time monitoring to dynamically,collect execution-related data, and 2) Secpert – a security-specific Expert System based on CLIPS, which analyzes the events collected by Harrier. Our main,contributions,to the security research are three-fold. First we identify common malicious behaviors, patterns, and characteristics of Trojan Horses and Backdoors. Second we develop a security policy that can identify such malicious behavior and open the door for effectively using expert systems to implement complex security policies. Third, we construct a prototype,that successfully detects Trojan Horses and Backdoors. 1,Introduction Computer,attacks grew,at an alarming,rate in 2004 [26] and this rate is expected,to rise.

Download full-text


Available from: David Kaeli
  • Source
    • "Ransomware hijacks users' data, encrypts the data and then demands some amount of money in exchange for the decryption key. Trojan horse types of malicious programs represent a great danger for the security of computer systems and therefore new methods and techniques for easier detection and removal of this type of malware are regularly proposed (see [40], [56]). On the other hand, it is presumed that the most appropriate form of defense against all types of Trojan horse is continual education of end users [36]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Assumptions and habits regarding computer and Internet use are among the major factors which influence online privacy and security of Internet users. In our study a survey was performed on 312 subjects (college students who are Internet users with IT skills) that investigated how assumptions and habits of Internet users are related to their online security and privacy. The following four factors of online security and privacy related behaviors were revealed in factor analysis: F1 – conscientiousness in the maintenance of the operating system, upgrading of the Internet browser and use of antivirus and antispyware programs ; F2 – engagement in risky and careless online activities with lack of concern for personal online privacy ; F3 – disbelief that privacy violations and security threats represent possible problems ; F4 – lack of fear regarding potential privacy and security threats with no need for change in personal online behavior. Statistically significant correlations were found between some of the discovered factors on the one side, and criteria variables occurrence of malicious code (C1) and data loss on the home computer (C2) on the other. In addition, a regression analysis was performed which revealed that the potentially risky online behaviors of Internet users were associated with the two criteria variables. To properly interpret the results of correlation and regression analyses a conceptual model was developed of the potential causal relationships between the behavior of Internet users and their experiences with online security threats. An additional study was also performed which partly confirmed the conceptual model, as well as the factors of online security and privacy related behaviors.
    Full-text · Article · Dec 2008

  • No preview · Article ·
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Zero day attacks and hidden Malware pose a grave threat to computer users. To date, widespread security measures such as anti-virus packages and firewalls have proven to be ineffective in guarding against these types of malware. New security measures are essential to secure computer systems, protect digital information, and restore user confidence. Security mechanisms which are able to differentiate regular (normal) behavior from malicious (abnormal) behavior promise new ways to effectively detect, counter and ultimately prevent the execution of zero day attacks and hidden malware. In this thesis we explore the utility of different software semantics for detecting malicious behavior. Our methods significantly improve upon previous work done in the area of Host-based Intrusion Detection Systems (HIDS). We present novel methods which utilize semantics available in different abstraction levels to detect malicious behavior and provide distinct advantages when compared to the current state of the art HIDS. Our first approach, Tracks, is able to differentiate normal from abnormal behavior by extracting high-level semantics (application and operating system semantics) obtained and analyzed during runtime. Tracks is designed to accurately identify and capture Trojan Horses, Backdoors and includes a new security policy engine. We demonstrate the utility of this approach and report on both detection rates and performance impacts. VGuard, our second security mechanism, utilizes the VMM (Virtual Machine Monitor) layer to extract very low-level semantics during runtime. VGuard can overcome some of the limitations of the semantic gap imposed when working at this level of abstraction by employing advanced data mining techniques. When we combine VMM profiling with sophisticated feature-based machine learning algorithms, we are able to accurately identify security intrusions in compute-server applicances, while introducing minimal execution overhead.
    Preview · Article ·
Show more