User-Behavior Based Detection of Infection Onset∗

Kui XuDepartment of Computer Science

Virginia Techxmenxk@cs.vt.edu

Danfeng (Daphne) YaoDepartment of Computer Science

Virginia Techdanfeng@cs.vt.edu

Qiang MaDepartment of Computer Science

Rutgers Universityqma@cs.rutgers.edu

Alexander CrowellDepartment of Computer Science

Rutgers Universityacrowell@eden.rutgers.edu

Abstract A major vector of computer infection isthrough exploiting software or design flaws in net-worked applications such as the browser. Maliciouscode can be fetched and executed on a victim’s ma-chine without the user’s permission, as in drive-bydownload (DBD) attacks. In this paper, we describea new tool called DeWare for detecting the onset ofinfection delivered through vulnerable applications.DeWare explores and enforces causal relationships be-tween computer-related human behaviors and systemproperties, such as file-system access and process ex-ecution. Our tool can be used to provide real timeprotection of a personal computer, as well as for diag-nosing and evaluating untrusted websites for forensicpurposes.

Besides the concrete DBD detection solution, wealso formally define causal relationships between useractions and system events on a host. Identifying andenforcing correct causal relationships have importantapplications in realizing advanced and secure oper-ating systems. We perform extensive experimentalevaluation, including a user study with 21 partici-pants, thousands of legitimate websites (for testingfalse alarms), as well as 84 malicious websites in thewild. Our results show that DeWare is able to cor-rectly distinguish legitimate download events fromunauthorized system events with a low false positiverate (< 1%).

Keywords: Malware, drive-by-download, user in-puts, integrity, file system.

∗This work has been supported in part by NSF grant CA-REER CNS-0953638 and CNS-0831186.

1 Introduction

Malicious software (malware) stealthily downloadedfrom the Internet has been the leading infection vec-tor, accounting for 53% of all incidents in 2008 [4].Malware may be delivered stealthily through a net-worked application such as a browser, a peer-to-peerfile sharing client, or a chat application. For example,spyware may be bundled with files shared throughP2P networks. Web browser is the most commonvehicle for a host to contract malware. 10% of thewebsites were found to contain drive-by-download ex-ploits [23]. Drive-by-download (DBD) attacks ex-ploit software or design vulnerabilities in a browseror its external components, and stealthily fetch exe-cutables from remote malware-hosting server withoutthe user permission. Botnets often use DBD as theinitial infection vector, e.g., Torpig [36]. Other net-worked applications besides the browser may be vul-nerable to drive-by-download attacks. For example, aproof-of-concept Quicktime-based drive-by-downloadattack has been demonstrated in Second Life [24].

Conventional signature-based techniques may notbe effective against zero-day exploits or code withsophisticate obfuscation. In comparison, host-baseddetection approaches are much more feasible againstdrive-by download attacks and the onset of infectionin general. In this paper, we demonstrate the fea-sibility and quality of such a host-based monitoringframework. We aim to provide a tool that guardsa personal computer by detecting signs of malwareinfection, specifically at the onset of infection. Oursolution can be used to detect any type of drive-bydownloads, including the browser-based exploits.

We present DeWare – a host-based security tool for

1

detecting the onset of malware infection at real time.Deware is application independent, thus it is capa-ble of performing host-wide monitoring beyond thebrowser. DeWare’s detection is based on observingstealthy download-and-execution pattern, which is abehavior many active malware exhibits at its onset,including the recent Hydraq malware [2]. Specifically,DeWare collects and analyzes file-system events andprocess properties (namely system calls related to filecreation and process creation) in the kernel space.

There are several nontrivial technical challengesthat we address in order to realize our goal. Oneis how to distinguish drive-by downloads from legiti-mate downloads. Our key observation is that legit-imate file creation is mostly triggered by the user.Our solution is to strategically monitor file-systemevents and correlate them with observed user actions.We aim to identify the causal relationship betweensystem events (e.g., file or process creation) and useractivities. We collect information regarding the user’smouse actions at the kernel level. Our knowledgeabout user behaviors may be further refined with ad-ditional application-specific information.

We note that the problem of finding the causal re-lationship between two or more sets of natural eventsis difficult in general [9] – the correlation of two ob-served data sets may not indicate a causal relation-ship between them, as there may be other factors.In the context of operating system, however, systemevents are artificially created in response to user ac-tions and are not natural events. Thus, identifyingcausal relationship between user actions and systemevents on a computer can be achieved, because of theobvious underlying connections between them.

Another technical issue we address is how to ef-ficiently handle the voluminous application-triggeredbenign downloads, which are not directed caused byuser actions. We refer to these downloads as in-directly caused by the user’s action. For example,when a user types www.cnn.com in the address bar,the browser fetches the main page index.html aswell as any objects embedded in that page, includingJavaScript files, images and flashes. It automaticallycreates temporary files without explicit user requests.

Our approach is two-fold: i) to minimize falsealarms due to application-triggered downloads, andii) to prevent malware from hiding its executables inthese temporary storage places. Realizing both goalsare necessary for the integrity of the host. We areable to realize both requirements through two sepa-rate mechanisms as follows. We design a policy-based

monitoring framework that controls applications’ ac-cess to specified folders, accessible area. For example,as a result the browser process cannot create files incertain system directories at run time, but can down-load to temporary folders at will. In addition, to re-alize ii) we design an execution monitor that reportsand halts any new process creation in accessible areas,as that area is typically for storing temporary read-only files (extensively validated by our experiments inSection 5). As a result, malware is unable to start anyexecutables downloaded in the accessible area. Thesemechanisms enable us to largely reduce our scope forfile-system monitoring scope, reduce false alarms, andprovide comprehensive surveillance across the host.

Our contributions We summarize our technicalcontributions as follows.• We give new definitions for direct and indirect

causal relationships among user actions and sys-tem events in the context of host security. Identi-fying and enforcing causal relationships are use-ful in detecting the onset of infection. We pointout the associated technical challenges and us-ability requirements. We believe that the inte-gration of human behaviors can greatly improvethe design and effectiveness of cyber security so-lutions.

• We present our design and implementation ofa tool called DeWare that detects the onset ofinfection including drive-by downloads, throughthe efficient and comprehensive system monitor-ing and data analysis. DeWare is easy to de-ploy. It identifies the infection onset by detect-ing download-and-execute patterns that moststealthy malware exhibits.

• We perform extensive experiments including auser study with 21 participants to evaluate De-Ware’s ability to detect DBD exploits both ina lab setting and 84 malicious websites in thewild; the ability to accurately identify legitimateuser-triggered downloads with low false positives(<1%). In addition, DeWare triggers no falsealarms when being automatically tested on 2000legitimate websites.

One main advantage of our (basic) DeWare designis its application-independence – there is no need tomodify the application, or understand how it works.Our inspection is external to applications and treatsthem as a black box. This feature differentiates oursolution from others (such as download managers ofbrowsers and some academic solutions [17, 29]).

Organization of the paper The rest of the pa-

2

per is organized as follows. We give our definitions forcausal relationships as well as our security model inSection 2. An overview of our design of DeWare is inSection 3. Our DeWare implementation in Windowsoperating system is presented in Section 4. Extensiveexperimental evaluation is described in Section 5. Re-lated work is compared in Section 6, and conclusionsand future work are described in Section 7. Someexperimental results and pseudo-code of our analysisalgorithm are in the Appendix.

2 Definitions For Causal Rela-tionships and Security Mod-els

Intuitively, DeWare detects the onset of infection bydetecting anomalies on a host. Given a system evente, we aim to infer the provenance of the event by con-structing a causal-relationship map that identifies an-other event that directly or indirectly triggers e. Inour model, we broadly define two types of events:user action and system event. User actions includekeyboard inputs and mouse clicks. There are two ap-proaches to observe user events – one is at the kernellevel through the placement of hooks and listeners,and one is at the application level through interfacingwith the application that consumes the user actions.For example, at the kernel level the information re-lated to a user’s mouse click may include coordinatesof the click, ID of the process receiving the inputs.In comparison, semantic information associated withthe user actions has to be obtained at the applica-tion level, such as the URLs of the links that the userclicks on.

System events include any kernel-level transactionssuch as file system events, network events (outboundand incoming), process events. Each user event orsystem event e has a timestamp Te. In this paper,for detecting drive-by download we focus on two sys-tem events, namely file creation and process creation.System events are triggered either by user actions orother system events. We define direct causal rela-tionship and indirect causal relationship as followsand give some examples.

Definition 2.1 Direct causal relationship is betweentwo events e and e′, where Te < Te′ and the event edirectly triggers or causes the event e′.

We refer to the event e as trigger event, and e′ aseffect event. We denote the direct causal relationshipbetween them by e → e′. Trigger event can be either

a user action or a system event. The effect event isusually a system event. A user may react to a systemevent, e.g., the email inbox receives a new message,then the user clicks on the inbox to view it. Thus,the effect event can be a user action as well.

Definition 2.2 Indirect causal relationship is be-tween two events ei and ej (j > i) andTei < Tej , where there exists an event sequenceei, ei+1, ei+2, . . . , ej such that ei → ei+1, ei+1 →ei+2, . . ., and ej−1 → ej.

That is, event ej is indirectly triggered by event ei,which directly triggers ei+1, and ei+1 directly causesei+2, and so on. We denote the indirect causal rela-tionship between events ei and ej by ei ej .

For example, a user’s mouse click may directlycause a browser to send some packets or downloadfiles from remote sites, or directly cause an appli-cation to start (i.e., creating a new process). Foran indirect causal relationship between a mouse clickand a file creation, consider the following scenario.Images embedded in index.html page are automat-ically fetched by the browser. Thus, the user’s clickon index.html indirectly causes the creation of im-age files in the temporary folder. Causal relation-ships should be defined with a specified granularity,as different granularity result in different direct andindirect causal relationships.

Given observed user’s mouse-click events and fileand process creation events, we aim to infer theircausal relationships based on pre-defined rules, and toidentify suspicious system events that cannot be at-tributed to any user action. Our inference approachinvolves the comparison of attributes of events includ-ing timestamps, file types, process IDs, and seman-tic information. In this work, the causal relation-ship among events is inferred or estimated, thus isnot provably-assured. Cryptographic provable prove-nance has been realized in the host-based system se-curity settings to ensure keystroke authenticity andtraffic generation [34].

Our work belongs to a broader category of re-search on human-behavior driven malware detection.We define that the key research problems in human-behavior driven malware detection include i) how toselect humans’ characteristic behavior features, ii)how to prevent malware forgery, and iii) how tomake security solutions nonintrusive and transparentto users. Anti-forgery techniques have been proposedwith the help of tamper-resistant cryptographic hard-ware (namely TPM) [12, 34]. Researchers have in-vestigated keystroke dynamics [35], Internet chat be-

3

haviors [10] for anomaly-detection purposes. For iii)Nonintrusiveness requires any (host-based) securitysolution to produce minimal disruption and annoy-ance to users.

Security solutions that rely on constant user in-teractions (for example, through pop-up windows asin [41]) may distract users and cause usability issues.Besides, feedback supplied by users may not be ac-curate and reliable. Our detection in DeWare col-lects and utilizes the existing human computer inter-actions, in particular user inputs to applications, forsecurity detection. The tool does not require user toperform additional tasks, thus is easy to use.

IRP filtering for file creation

Alert

High Risk?

NoUser InputTimestamp

WithinThreshold?Alert

ExecutionMonitor

AccessibleArea?

ExecutableGets

Running?

Yes

Download Area?

Yes

Yes

No

No

Figure 1: Schematic drawing of the work flow for de-tecting the infection onset on a host based on analyz-ing user-behaviors and file system/process properties.

Security and attack models We assume that thebrowser and its components are not secure and mayhave software vulnerabilities. The operating systemis assumed to be trusted and secure, and thus thekernel-level monitoring of file-system events and userinputs yields trusted information. The integrity offile systems defined in our model refers to the enforce-ment of user-intended or user-authorized file-systemactivities; the detection and prevention of malware-initiated tampering. We assume that malware makespersistent changes to the target host’s file system orattempts to execute its code by creating a new pro-cess, which are commonly observed behaviors at theonset of infection. Similar assumptions were also usedin Strider HoneyMonkeys [40].

We do not consider social engineering attacks inthis paper. For example, a user may be tricked to

click on Web links or links in email messages thatresult in the download of malicious executables. (Re-cent Hydraq malware started with a personalizedspam message with an embedded link to attacker’swebsite [2].)

3 Overview of DeWare DesignThe purpose of DeWare is to detect unauthorizedsystem activities, in particular file and process cre-ations on a host. We consider the system events di-rectly caused by the owner (human user) of the com-puter legitimate. Malware-triggered download andexecution are unauthorized. We realize DeWare byinstrumenting specialized sensors (i.e., componentsmostly at the kernel level for collecting and moni-toring system-event data), and inferring at real-timelegitimate events directly or indirectly caused by thehuman user’s activities. Thus, file creation or processcreation that cannot be attributed to any human ac-tions (namely mouse activities) is likely to be suspi-cious and caused by malware infection. DeWare iscapable of host-wide monitoring that is applicationindependent.

System events that we focus on in this work are thefile creation and process creation – either of the twocharacteristics is often observed at the onset of mal-ware infection. Similar assumption was previouslyused by others as well [17, 40]. We discuss the limita-tions of DeWare against more sophisticated malwarein Section 5.

Although this intuition of DeWare is simple, tech-nical challenges arise due to the fact that many appli-cations such as the browser automatically fetch andcreate files that make persistent changes to the filesystems. Our solution is to enforce fine-grained ac-cess policies on applications to control and confinetheir access to the file systems. A temporary file au-tomatically downloaded by an application is consid-ered legitimate only if it appears in specified area andis not executed. Violations of the policies are likelycaused by malware infection and are reported. Wedescribe it in more details in Section 3.1 and 3.2.

In our detection system, users’ intention is em-bodied by their mouse inputs, information of whichsuch as timestamp, corresponding PIDs, and contentcan be logged at the kernel level or at the applica-tion level. Both approaches have different securityassumptions and yield user-input information withdifferent granularity. There are pros and cons asso-ciated with both methods, which are discussed morein Section 3.3. Given the observed user activities and

4

system events, we correlate the two data streams, ac-cording to rules on their attributes, e.g., empirically-defined time intervals and process IDs. In our secu-rity model (described in Section 2), the user inputsobtained are trustworthy, i.e., they are not forgedby malware. This assumption can be eliminated ifhardware-based attestation (e.g., with trusted plat-form module) is enabled as described in [34].

In our model, the file downloaded by the userthrough specific mouse operations is legitimate.These files are directly caused by user actions, i.e.,direct causal relationship.

The work flow in DeWare is shown in Figure 1.Putting these all together, DeWare includes the fol-lowing components.• A file-system monitor for intercepting file-

creation related system calls;• A click recorder for collecting user behaviors in-

formation;• An execution monitor for inspecting a portion of

file system for illegal process creation.

3.1 File-System Monitor: ConfiningApplication-Triggered Downloads

Application-triggered downloads are indirectly trig-gered by user actions. These downloads are legiti-mate, provided that the application is not comprised,e.g., the application is not infected with virus or par-asitic malware [32]. Because our security model doesnot assume the trustworthiness of applications, it isnecessary to examine all downloads on the host.

However, capturing all file-creation events relatedto all processes generates an overwhelmingly largenumber of records. For example, during a user’s 30-minute browsing period in Internet Explorer, a userindirectly triggers 482 file creations in Temporary In-ternet Files folder and 47 Cookies directory. Files cre-ated in those folders are usually benign.

We design and implement a framework that allowsus to specify policies to limit applications’ access toportion of the file system. The access control frame-work is to reduce white noise due to application trig-gered downloads. We define the accessible area for anapplication in the file systems.

Definition 3.1 Accessible area of an application is aset of pre-defined directories on the file system wherethe application is allowed to create files. The applica-tion is not allowed to create files outside its accessiblearea.

For example, Temporary Internet Files folder is

modifiable by Internet Explorer, whereas system fold-ers are not. The directories to include in the acces-sible area can be learned. For Firefox, we specify 18folders shown in the Appendix. As a result, we signif-icantly reduce the number of directories to monitorfor file creation, and the number of events to record.This approach of defining policies to confine processesis similar to what is used in SELinux. One differenceis that our detection requires real-time data compu-tation, which is beyond the use of rules. Our solutionis also simpler, as it is specific to file-system accessand monitoring.

File-system monitor intercepts system calls relatedto file creations, and probes kernel data structuresto gather process information. Timestamps can beobtained from input logger at runtime to performtemporal correlation. With this file-system monitor,malware is confined to the accessible area. Movingexecutables out of the accessible area is also forbid-den.

Download directly triggered by the user does notneed to follow the same requirements. However, theuser is not allowed to download files anywhere onthe file system, but to a specified downloadable area,which is described in more details in Section 3.5.

With the aforementioned file-system monitor, anattacker may still be able download malware executa-bles to the accessible area of a rogue application, e.g.,to the temp folder via a compromised browser. Thus,file-system monitoring alone is not sufficient for de-tecting drive-by download. We solve the problem bymonitoring execution patterns in these download ar-eas, which is presented in the next section.

3.2 Real-Time Execution Monitoringon Host

Although dormant malware (downloaded but not ex-ecuted) does not pose immediate threat to the host,it may get executed later on. In our experiments withreal-world malware, some malware starts itself after areboot. In DeWare, execution monitor is to preventmalware executables stored at accessible area frombeing run. Execution monitor which gives additionalinspection to areas where access is granted to an ap-plication.

Information of a newly created process that we col-lect includes process ID, image file name, parent pro-cess ID, and timestamp. Once a new process is cre-ated, the execution monitor is notified. It verifiesthat the image file is not in the accessible area of anyapplication.

5

Our security model assumes the operating systemis not compromised, in particular, the kernel is notcompromised, the process information observed iscomplete and trustworthy. Therefore, we do not con-sider the existence of rootkits that hide their presencein the process table. Because we aim to to detect theonset of the infection on an otherwise clean host, thisassumption is valid.

3.3 Intercepting Users’ Input Activi-ties

Obtaining user intention can be realized in three dif-ferent ways: i) directly asking the user (e.g., througha pop-up window) [41], ii) analyzing user’s trans-action history and extracting patterns [25], or iii)recording the events entered through keyboard ormouse devices [34]. Each method has pros and cons.For example, pop-up window may be intrusive touser, but is easy to implement. In DeWare, we optfor the third approach.

There are two levels of user-input monitoring: ker-nel level and application level. Kernel-level input log-ging records user inputs at their origin, as it is to col-lect events triggered by activities on external inputdevices via device drivers. Click recorder interceptsinformation about user inputs – coordinates, times-tamp, and content – by placing listeners or hooks inthe kernel. The inputs go to the current foregroundprocess, whose ID can be identified. Kernel-level in-put logging is application-independent, which makesthe method general.

One can also record user inputs at the application.This approach – referred as application-level inputlogging – requires writing a plug-in specific to theapplication. It also assumes the trustworthiness ofthe extension to ensure the data integrity. The obvi-ous advantage of application-level input logging is theability to semantically interpret certain input events,for example, the URL that a mouse clicks on. ThisURL is application-specific data and cannot be easilyobtained outside the browser. At the kernel level, auser’s mouse click is not associated with this semanticinformation. In our prototype in Windows, we realizeand compare both methods (See also Section 5.2).

3.4 Rule-Based Causal-RelationshipAnalysis

DeWare infers causal relationships between user’smouse clicks and file-creation events based ontemporal-based comparison rules and/or semantic-based comparison rules.

For temporal-based comparison, a legitimate file-creation event is defined as one that takes placewithin a short threshold τ after a valid user-inputevent. Different τ values can significantly affect thefalse positive and false negative rates, which are ex-perimentally evaluated in our user study in Section 5.The two events being compared need to have the sameprocess ID.

The semantics of a mouse click event includes in-formation about the file or URL that the user down-loads or clicks, for example, source URL, file name,type, size, and destination directory. Therefore, insemantic-based comparison these pieces of informa-tion need to match with the file being created, inaddition to the temporal constraint on event times-tamps. We describe how the semantics informationcan be obtained in Section 4.

3.5 Coincidental Download, Piggy-backing Download, and Their De-tection

Our simple temporal-based rule does not provide suf-ficient security protection against infection onset, be-cause of coincidental malware download and piggy-backing malware download defined as follows.

Definition 3.2 We define coincidental download asthe download of malware that coincidentally occursimmediately after a user’s mouse click, more specifi-cally the time interval between the download event andits immediately preceding mouse-click event is withinthreshold τ .

The problem of coincidental download only existswhen logging user’s mouse events at the kernel level,which lacks semantic and contextual information ofthe events. For example, a click on a URL cannot bedistinguished from a click on download-dialogue box.This problem is prevented when using application-level input logging as described in Section 3.3.

Piggyback download defined in [33] is where mal-ware is part of a piece of software downloaded withproper user permission, e.g., spyware bundled withcompression software. (Stamminger et al. describedseveral automated techniques for recognizing spy-ware [33].)

Preventing piggybacking code from being down-loaded is difficult in our model. Thus, our approachis to detect it when the downloaded malware is beingexecuted. The area that execution monitor inspectsneeds to be expanded beyond the accessible areas ofapplications. The execution monitor also inspects thearea at which user-authorized downloads are stored,

6

and seeks confirmation from the user if files in thatarea get executed. We define downloadable area inDefinition 3.3 below.

Definition 3.3 Downloadable area of a user is a setof pre-defined directories on the file system to whichthe user downloads files from the Internet.

If piggybacking download in this area creates newprocesses, the execution monitor prompts the user foradditional approval. Note that the user interactionis only needed for files with download-and-executepatterns; not for each process creation in the system.Thus, the required user interaction is minimal.

As stated in Section 2, we assume that the hostis not infected with malware that is capable of eaves-dropping on user mouse events (and downloads imme-diate after the user clicks the mouse). This assump-tion is valid, as DeWare aims to detect the onset ofinfection on a clean host.

4 Prototype Implementation inWindows

We describe our implementation of DeWare proto-type in Windows XP utilizing some existing kerneldriver and tools for monitoring system events in Win-dows. The prototype is easy to deploy and efficient torun. We describe our realization of file-system mon-itor, execution monitor, click recorder, and causal-relationship analysis respectively.

File-System Monitor Our prototype builds on Min-ispy to intercept file-related system calls. Minispy isan existing kernel driver for Windows that monitorsall system calls involving opening a handle to a fileobject, including file creation. Our file-system moni-tor consists of a kernel-space driver and a user-spacecomponent. File-creation events are collected at thekernel level and reported to the user space for filter-ing.

The kernel-space driver filters all IRP (I/O requestpacket) calls issued by operating system to the lowlevel I/O devices. We specify the program images(running process names) to be monitored, so only theIRP calls issued by those programs are collected. Inour prototype, we focus on the FILE CREATE sys-tem call. Other file-related system calls such asFILE OPEN and FILE OVERWRITE may be recordedas well.

We keep track of targeted processes as well as theirchild processes. We implement the directories ap-peared in both accessible and downloadable areaswith the array data structure for each process. Given

a file-creation event requested by a process, the cor-responding array is searched to check for violations.If file creation outside the permitted areas is found,then the user is alerted. This verification has lowoverhead, because of the small array sizes. In thedownloadable area of user, certain low-risk downloads(e.g., TEXT files) can be safely ignored. High-riskfiles [21] in that area are examined in our causal-relationship analysis.

Execution Monitor Our execution monitor is imple-mented based on PsTools suite, which is an existingcollection of command-line utilities to manage pro-cesses in Windows. The tool leverages the security-monitoring features provided by Windows OS. Win-dows OS (XP and higher) comes with security set-tings for monitoring the local host, among which theAuditPolicy is able to track all the processes. Theexecution monitor records all the process start andexit events, and applies policies to inspect them forviolations. A sample log entry collected is shown asfollows.

A new process has been created:New Process ID: 3444Image File Name: C:\WINDOWS\system32\cmd.exeCreator Process ID: 1396User Name: AdministratorDomain: XMENXK-50C6105ALogon ID: (0x0,0xEB4D)

Click Recorder DeWare implements two indepen-dent mechanisms for collecting mouse clicks: one atkernel level and another within the Firefox browser.The kernel-level logging records user inputs at thekernel level through hooks SetWindowsHookex pro-vided by Windows OS. We also write a Firefox ex-tension (based on tlogger) that is capable of record-ing users’ clicks that correspond to downloading ac-tivities. This extension – assumed to be trusted –provides semantics of user clicks, so one is able tolearn the detailed meaning of what a click is intendedto achieve as shown in Table 1. We note that if auser clicks on buttons within a browser plug-in (e.g.,Adobe Reader) to download, then the extension isunable to record the event. With semantic informa-tion, the inference accuracy can be improved (shownin Section 5). DeWare can securely function withonly the kernel-level click logging.

Causal-Relationship Analysis In our prototype, thecausal-relationship analysis is performed off-line, af-ter data is collected. This implementation can beextended to realize real-time analysis. Our detailedanalysis algorithm in pseudo-code is shown in Fig-

7

Download Scenarios RecordedClicking on a link YesTyping a URL into address bar YesUsing “Save Target As...” button YesDownload initiated by page redirect YesDownload from embedded plugin No

Table 1: User clicks recorded through our Firefoxextension.

ure 6 in the Appendix.Privacy Discussion Our solution does not create

any new privacy vulnerability. DeWare is a stand-alone host-based solution that does not export thecollected data out of the user’s computer. Onlymouse clicks are recorded (user’s keyboard inputs arenot). Collected data is erased after the analysis anddoes not need to be stored for a long term.

Limitations DeWare is capable of detecting a widespectrum of syndromes associated with infection on-set. Our detection assumes that malware eithermakes persistent changes to the disk or creates itsown new process. Thus, DeWare cannot detect theinfection onset where code or dynamic loadable li-brary (DLL) is injected into the memory of a legit-imate process [26, 27, 28]. This type of in-memoryinjection is able to retrieve and store library files justin memory and load them directly. It is stealthy sinceit does not need to touch the hard disk and the mali-cious code can run in the context of the compromisedprocess without the creation of a new process.

5 Experimental EvaluationWe carry out extensive experiments to evaluate theeffectiveness and usability of our solution. We per-form a user study with 21 users to collect real-worlduser download behavior data. We also use DeWareto evaluate a large number of both legitimate andmalware-hosting websites for testing its accuracy.

5.1 User Study21 users participated in our user study – all of themare graduate or undergraduate students from a uni-versity. Each user is asked to surf the web with Fire-fox browser for 30 minutes and download at least 10files of her choice. Firefox 3.0.19 is run on MicrosoftWindows XP Professional Service Pack 3.

In Figure 2, we give the histogram of the observedintervals between a user’s mouse-click event and thecorresponding file-creation event. For this analysis,the two types of events are correlated manually by

0

20

40

60

80

100

120

140

[0,20) [20,40) [40,60) [60,80) [80,100) [100,∞)Num

bers

of <

Use

r Cl

ick,

File

-Cre

atio

n> P

airs

Intervals between mouse clicks and file-creations in milliseconds

Figure 2: Histogram on the interval in millisecondsof the user click events and their corresponding filecreation events.

the authors. User’s click events are recorded at thekernel level through a mouse hook to the input devicedriver, and the timestamps for file-creation events areextracted from the intercepted system calls. The ma-jority of user-triggered download have a short delaywithin 80 milliseconds.

Figure 3: Simulated probability of false negativescaused by piggybacking download vs. allowed thresh-old between user click event and file creation.

Our false negative analysis shown in Figure 3 isbased on simulating coincidental downloads (definedin 3.5). Here, a false negative is where a mal-ware download is mistakenly classified as a legitimatedownload, due to the close proximity in time of thedownload event to an observed user mouse click. Weaim to estimate the likelihood of having coincidentaldownloads.

8

We assume that malware is equally likely to bedownloaded across the time spectrum considered. InFigure 3, X-axis is the threshhold in milliseconds, andY-axis is our simulated false negative rate, which iscomputed as in Equation 1, where n is the numberof users, mi is the number of mouse clicks by useri,Surfing timei is useri’s total computer-use time (30minutes). Given threshold τ and a mouse click attime t, safe time is from t to t+ τ , and is of durationτ . Thus, miτ gives the total safe time for useri.

1n

n∑i=1

miτ

surfing timei(1)

For example, the probability is 0.00154 for athreshold of 10 milliseconds and 0.01524 for 100 mil-liseconds. The likelihood of having false negativesdue to coincidental download is low, and the value in-creases with increasing threshold, which is expected.

The false-positives based on the basic temporalcorrelation (i.e., comparing timestamps of events)are reported in Figure 4. False positives in our userstudy may come from two sources. i) File creationfrom user download in downloadable area of the userthat has a high risk extension, but is not within therequired threshhold, and ii) (legitimate) file creationby the browser that is not in the accessible area dur-ing the user study, we have six such violations, e.g.,\Program Files\NOS\bin\getPlusPlus_Adobe.exe,which result from a single installation of getPlus (adownload manager from NOS) that is piggybackingdownloaded with Adobe Reader.

Figure 4: The averaged false positive rate vs. variousthreshold values based on a total of 25092 file-creationevents including temporary files by the browser.

The results show that the number of false alarmsthat temporal-comparison based DeWare generates inour user study is small compared to the total numberof file creations. A larger threshold leads to a lowerfalse positive rate, but at the same time it also in-creases the likelihood of false negatives as we showearlier. Given our results, we recommend a thresholdwithin 80-100 milliseconds. The false positives arefurther reduced in Section 5.2 with the application-assisted semantic comparison.

False alarm evaluation with legitimate web-sites. Given the pre-defined accessible area (consist-ing of 18 folders, shown in Appendix) of the Firefoxbrowser, we test DeWare with 2000 legitimate web-sites to see if there are any false alarms. A false alarmmay be caused by a website i) downloading files out-side the accessible area, or ii) creating new processesfrom files stored in the accessible area. We evaluatethe top 1000 and bottom 1000 websites according tothe ranking from Alexa.com on August 20th, 2010with Firefox. We give the browser 30 seconds to loada webpage. We have zero false alarm in our exper-iment. The result indicates that our pre-defined ac-cessible area is sufficient in containing the files thatthe browser and common plug-ins create. We demon-strate the feasibility of confining a process’ access tofile system for reducing DeWare’s workload of system-call monitoring. We are able to achieve it without theneed of modifying how browser operates.

5.2 Reducing False Positives With Se-mantic Correlation

For 8 out of the 21 participants, we also collectedapplication-level inputs using the Firefox extensiondescribed in Section 4. It allows us to collects users’mouse-click activities on download-dialogue windows,and obtain semantic information of the user eventsuch as file name, type, size, source URL, timestamp,and destination directory. The timestamp, file name,and directory information are compared with thoseof the file-creation event for causal-relationship anal-ysis. The mouse clicks that do not trigger downloadare ignored and not recorded. Figure 5 shows that thesemantics of user actions helps reduce the false posi-tive rate. The remaining (six) false positives were dueto JavaScript files that came together with a webpagethat a user downloaded.

5.3 Detecting Known DBD Exploitsand Real-World Malicious URLs

We test DeWare against real-world websites withdrive-by download exploits [18, 19]. The ex-

9

Figure 5: Reduced false positives with semantic-based comparison between user’s mouse-click eventsand downloaded files.

periment is carried out on a laptop with 2.26GHz dual-core CPU and 2 GB RAM. The test-ing system is Windows XP Version 5.1 (Build2600.xpsp sp2 rtm.040803-2158: Service Pack 2) in-stalled within VMware 7.0. We use Internet ExplorerVersion 6.0.2900.2180.xpsp sp2 rtm.040803-2158 asthe victim application. We take a snapshot of a cleanversion of the system and then test DeWare with ma-licious websites. We give each URL one minute toload and launch the attack. We revert the system tothe initial clean state before each new test. During atwo-week period, we successfully detected 84 uniquedomains with drive-by download exploits. Observa-tions from the experiment are summarized as follows.

• The malicious websites typically download ex-ecutables and .dll files onto the victim’s host,and then try to get the executables running. Theentire procedure is surreptitious. In some cases,after reboot the browser is automatically loadedand re-directed to pornography websites.

• There are several popular exploit kits, such as“Phoenix exploit kit” and “Eleonore exploitspack”, which are widely used by many mali-cious websites. They target at multiple softwarevulnerabilities including Flash, PDF, Java andbrowser.

• There are websites who track the incoming re-quests. In that case, the first visit triggers theexploit, while during the second visit no exploitis observed or the web server refuses the connec-tion.

• Some exploits attempt to download executables

to directories such as \DocumentsandSettings\Administrator\LocalSettings\Temp\ to avoiddetection, which can be detected by DeWare.

We also produce several known drive-by-downloadexploits in a lab environment shown in the following.DeWare can successfully detect executables down-loaded as a result of a successful exploit.

• Heap Feng Shui attack [30];• HTML Object Memory Corruption Vulnerabil-

ity [13];• Superbuddy exploits through AOL activeX con-

trol [37];• Adobe Flash player remote-code execution [8].• Microsoft Data Access Component API mis-

use [6];• DBD exploiting IE 7 XML library [14].

5.4 Evaluation of Off-the-Shelf Secu-rity Products Against a DBD Ex-ploit.

We evaluate popular commercial anti-virus softwareand Internet security products against the IE 7 XMLHeap Corruption exploit (VU#493881). The resultsare shown in Table 3 in the Appendix.

Our comparison shows that signature-based secu-rity monitoring is not effective in detecting drive-bydownloads, due to the variation in the maliciousexecutables downloaded. For example, 360 Safeguardcannot detect IE 7 exploits with an older version(360v6.0.1) anti-virus driver and a newer definitiondatabase, but can do so vice versa. In our experiment,Trend Micro Internet Security Pro is not effectiveagainst the DBD attack tested. Although ZonealarmPro and Microsoft Security Essentials alert the userthe DBD threats, the malicious executables are stilldownloaded.

6 Related WorkCova, Kruegel, and Vigna proposed a DBD detec-tion solution [3] that abstracted and categorizedcommonly shared features in the Javascripts thatlaunch drive-by-download attacks. They used ma-chine learning techniques to build characteristics ofnormal Javascript code, and then in the detectionphase the system is to identify malicious Javascriptcode. This system is built with the goal of de-tecting zero-day exploits. A DBD-detection solutionwas proposed based on monitoring browser’s inter-module communication patterns [29]. The work uti-lizes the inter-module communications of browser to

10

Solutions Architecture Analysis BrowserModified

Traffic Mon-itored

Security assumption

Obfuscated-JS [15]

Client side Offline No No N/A

SpyProxy [20] Client side& NetworkService

Online No No Secure virtual machine

Inter-Module [29]

Client side Online Yes No Secure browser and OS

DBD-JS [3] Client side Online Yes Yes Secure browserShellcode [7] Client side Online Yes No Secure browserStrider-HM [40]

Client side Offline No Yes Secure virtual machine

BLADE [17] Client side Online Yes Yes Secure OSDeWare Client side Online No No Secure OS

Table 2: Comparison of select drive-by-download solutions.

collect signatures of drive-by-download exploits andperforms online detection of known exploits.

The work that is conceptually close to ours isBLADE [17], which is a host-based drive-by-exploitdetection framework in Windows. BLADE is an ef-fective solution independently developed by Lu etal. for detecting drive-by downloads, in particularunconsented-content execution [17]. The authors per-formed extensive experiments in Windows OS envi-ronments. Although the goal of BLADE is the sameas in ours, our technical approaches differ much, par-ticularly on obtaining user behavior information andhow file system is monitored. DeWare treats applica-tions as a black box – passively monitors the operat-ing system and does not change to how applicationsaccess the existing file systems. BLADE performsredirections on browsers’ I/O requests. Our solutionis designed for general applications, not specific forthe browser; thus we provide monitoring mechanismsin the kernel level all of them external and indepen-dent of the application. DeWare functions well evenwithout the optional semantic comparison that in-volves an application-level component. Our experi-mental evaluation approach is different from what isreported in [17], as we carried out a nontrivial userstudy with 21 participants.

In our work, we also present and take the first stepto formalize the new concepts of causal relationshipsand their important application in the context of se-curing personal computers, which is beyond the spe-cific drive-by download detection problem studied.

We compared related work about DBD detectionwith ours in Table 2. The method used in [3, 15]

is based on feature extraction from malicious codesuch as existence of redirection and obfuscation.Careful preparation and selection of features makethis feature-based detection robust against knownthreats. [20, 40] both utilize virtual machine to loadwebpage, take records and perform post-analysis.This class of behavior-based detection is better atcatching 0-day attack. In [7], string buffers arechecked for executable instructions, which enables thesolution to detect the shellcode before an vulnerabil-ity can be exploited. (Some papers did not specifyabout their security models, thus we infer them inTable 2.)

Egele, Kirda, and Kruegel [6] and Niki [22]gave general introductions to drive-by exploits andmentioned possible detection and mitigation ap-proaches (without concrete implementations), such asemulation-based shellcode analysis technique basedon existing work in [7], and analyzing DNS and webserver relationships.

There exist several system integrity work that maybear superficial similarity to our work. Tripwire [31]is a cryptographic-based solution that aims to detecttampering in files by comparing the cryptographichash values of file systems. Tripwire is not de-signed for detecting illegal file creation, as it doesnot have a classification mechanism for that purpose.Baliga, Iftode, and Chen proposed a rootkit contain-ment strategy Paladin [1] that is based on trackingprocesses’ hierarchical relationships and their corre-sponding file creation, and using policies to restrictprocesses’ privileges to directories and memory ac-cess. The part of our work on controlling the access

11

of processes to file systems has a similar spirit withPaladin. What sets our work apart is that i) we cor-relation user inputs with file system monitoring; andii) we focus on distinguishing authorized and illegalfile creation, whereas Paladin allows arbitrary file cre-ation. It is worth mentioning that in Paladin, virtualmachine monitor (VMM) is used to enforce the in-tegrity of the detection, namely policy tables. VMMcan be applied in our model to relax the assumptionof the trust on the operating system.

Many browser security solutions have been pro-posed, including secure browsers and browser-as-an-OS [11, 39], securing browser extensions [5, 16], andbrowser mashup security [38, 42]. Our work funda-mentally differs from the secure browser line of re-search, as our solution is completely independent ofthe browser without any assumption on its or its com-ponents’ integrity – yielding a more robust detectiontechnique.

7 Conclusions and FutureWork

We describe the importance of inferring the causal re-lationships among the user actions and system eventson a personal computer for security monitoring andforensic purposes. Specifically, the analysis on fileand process creation enables the identification ofthe onset of infection through drive-by download, asdemonstrated in this paper. We described the de-sign, implementation, and use of DeWare for host-based security protection against unauthorized sys-tem events. A main technical challenge of our ap-proach is how to accurately interpreting user inten-tion and to tell apart legitimate user-triggered down-load, malware download, and benign application-triggered download. Our techniques are based ondefining practical policies and the enforcement ofpolicies through data collection and analysis. We per-formed extensive experiments to evaluate the usabil-ity, accuracy, and precision of DeWare, including auser study, tests on thousands of legitimate URLs forevaluating false positives, and tests on known ma-licious URLs. DeWare is effective against drive-bydownload exploits that we evaluated with a low (<1%) false positive rate.

Tracking the origin and provenance of critical sys-tem events by inferring and enforcing the causal re-lationships between them and user actions is a noveland effective approach for managing a secure host.We envision that our approach can be generalized

beyond file and process activities. For example, thecorrelation between user actions and outbound traf-fic can be systematically studied for cyber securitypurposes.

8 AcknowledgmentsThe authors would like to thank the first authorin [17] for sharing the sources for obtaining maliciousURLs.

12

References

[1] A. Baliga, L. Iftode, and X. Chen. Automatedcontainment of rootkits attacks. Computers &Security, 27(7-8):323–334, 2008.

[2] E. Chien. The new generation of targeted at-tacks, 2010. Keynote in Recent Advances in In-trusion Detection (RAID).

[3] M. Cova, C. Kruegel, and G. Vigna. Detec-tion and analysis of drive-by-download attacksand malicious javascript code. In Proceedings of19th International World Wide Web Conference,2010.

[4] M. Cruz. Most abused infection vector, 2008.Trend Micro. http://blog.trendmicro.com/most-abused-infection-vector/.

[5] M. Dhawan and V. Ganapathy. Analyzing infor-mation flow in javascript-based browser exten-sions. In ACSAC, pages 382–391. IEEE Com-puter Society, 2009.

[6] M. Egele, E. Kirda, and C. Kruegel. Mitigat-ing drive-by download attacks: Challenges andopen problems. In Proceedings of the Open Re-search Problems in Network Security(iNetSec),pages 52–62, 2009.

[7] M. Egele, P. Wurzinger, C. Kruegel, andE. Kirda. Defending browsers against drive-bydownloads: Mitigating heap-spraying code injec-tion attacks. In Proceedings of the Sixth Confer-ence on Detection of Intrusions and Malware &Vulnerability Assessment (DIMVA), 2009.

[8] Adebe Flash Player remote code execution.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3456.

[9] D. A. Freedman. Statistical Models and CausalInference: A Dialogue with the Social Sciences.Cambirdge University Press, 2010.

[10] S. Gianvecchio, M. Xie, Z. Wu, and H. Wang.Measurement and classification of humans andbots in internet chat. In Proceedings of USENIXSecurity Symposium, 2008.

[11] C. Grier, S. Tang, and S. T. King. Secure webbrowsing with the OP web browser. In IEEESymposium on Security and Privacy, May 2008.

[12] R. Gummadi, H. Balakrishnan, P. Maniatis, andS. Ratnasamy. Not-a-Bot: Improving serviceavailability in the face of botnet attacks. InProceedings of the 6th USENIX Symposium onNetworked Systems Design and Implementation(NDSI), 2009.

[13] HTML Object Memory Corruption Vulner-ability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249.

[14] Vulnerability Note VU#493881. US-CERT.http://www.kb.cert.org/vuls/id/493881.

[15] P. Likarish, E. E. Jung, and I. Jo. Obfuscatedmalicious javascript detection using classifica-tion techniques. In Proceedings of 4th Interna-tional Conference on Malicious and UnwantedSoftware, 2009.

[16] M. T. Louw, J. S. Lim, and V. N. Venkatakr-ishnan. Enhancing web browser security againstmalware extensions. Journal in Computer Virol-ogy, 4(3):179–195, 2008.

[17] L. Lu, V. Yegneswaran, P. Porras, and W. Lee.Blade: An attack-agnostic approach for prevent-ing drive-by malware infections. In Proceed-ings of 17th ACM Conference on Computer andCommunications Security, 2010.

[18] www.malwaredomainlist.com.[19] www.malwareurl.com.[20] A. Moshchuk, T. Bragin, and D. Deville.

SpyProxy: Execution-based detection of mali-cious web content. In Proceedings of the 16thUSENIX Security Symposium, 2007.

[21] Microsoft high-risk extensions. http://support.microsoft.com/kb/883260.

[22] A. Niki. Drive-by download attacks: Effects anddetection methods. Master’s thesis, Royal Hol-loway University of London, 2009.

[23] N. Provos, D. McNamee, P. Mavrommatis,K. Wang, and N. Modadugu. The ghost in thebrowser analysis of web-based malware. In Hot-Bots’07: Proceedings of the first conference onFirst Workshop on Hot Topics in Understand-ing Botnets, Berkeley, CA, USA, 2007. USENIXAssociation.

[24] Apple QuickTime 7.3 RTSP Re-sponse Exploit, CVE-2007-6166, http://securityevaluators.com/content/case-studies/sl/.

[25] J. Shirley and D. Evans. The user is not the en-emy: Fighting malware by tracking user inten-tions. In Proceedings of New Security ParadigmsWorkshop (NSPW), pages 22–25, September2008.

[26] skape. Understanding windows shellcode.http://www.nologin.org/Downloads/Papers/win32-shellcode.pdf, 2003.

13

[27] skape. Metasploit’s meterpreter. http://www.nologin.org/Downloads/Papers/meterpreter.pdf, 2004.

[28] skape and J. Turkulainen. Remote library in-jection. http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf,2004.

[29] C. Song, J. Zhuge, X. Han, and Z. Ye. Pre-venting drive-by download via inter-modulecommunication monitoring. In Proceedingsof the 5th ACM Symposium on Information,Computer and Communications Security (ASI-ACCS), 2010.

[30] A. Sotirov. Heap Feng Shui in JavaScript.http://www.phreedom.org/research/heap-feng-shui/.

[31] E. H. Spafford and G. Kim. The design and im-plementation of tripwire: A file system integritychecker. In 2d ACM Conf. on Computer andCommunication Security (CCS), 1994.

[32] A. Srivastava and J. T. Giffin. Automatic discov-ery of parasitic malware. In S. Jha, R. Sommer,and C. Kreibich, editors, RAID, volume 6307 ofLecture Notes in Computer Science, pages 97–117. Springer, 2010.

[33] A. Stamminger, C. Kruegel, G. Vigna, andE. Kirda. Automated spyware collection andanalysis. In P. Samarati, M. Yung, F. Martinelli,and C. A. Ardagna, editors, ISC, volume 5735 ofLecture Notes in Computer Science, pages 202–217. Springer, 2009.

[34] D. Stefan, C. Wu, D. Yao, and G. Xu. Crypto-graphic provenance verification for the integrityof keystrokes and outbound network traffic. InProceedings of the 8th International Conferenceon Applied Cryptography and Network Security(ACNS), June 2010.

[35] D. Stefan and D. Yao. Keystroke-dynamics au-thentication against synthetic forgeries. In Pro-ceedings of the International Conference on Col-laborative Computing: Networking, Applicationsand Worksharing (CollaborateCom), November2010.

[36] B. Stone-Gross, M. Cova, L. Cavallaro,B. Gilbert, M. Szydlowski, R. A. Kemmerer,C. Kruegel, and G. Vigna. Your botnet is mybotnet: analysis of a botnet takeover. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors,ACM Conference on Computer and Communi-cations Security, pages 635–647. ACM, 2009.

[37] Superbuddy exploits through AOL activeXcontrol. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820.

[38] H. J. Wang, X. Fan, J. Howell, and C. Jackson.Protection and communication abstractions forweb browsers in MashupOS. In ACM Symposiumon Operating Systems Principle (SOSP), pages1–16. ACM Press, 2007.

[39] H. J. Wang, C. Grier, A. Moshchuk, S. T.King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle webbrowser. In Proceedings of the 18th Usenix Se-curity Symposium, August 2009.

[40] Y.-M. Wang, D. Beck, X. Jiang, R. Roussev,C. Verbowski, S. Chen, and S. King. Automatedweb patrol with Strider HoneyMonkeys: Findingweb sites that exploit browser vulnerabilities. InProceedings of the Annual Symposium on Net-work and Distributed System Security (NDSS),2006.

[41] H. Xiong, P. Malhotra, D. Stefan, C. Wu, andD. Yao. User-assisted host-based detection ofoutbound malware traffic. In Proceedings ofInternational Conference on Information andCommunications Security (ICICS), December2009.

[42] S. Zarandioon, D. Yao, and V. Ganapathy.OMOS: A framework for secure communicationin mashup applications. In ACSAC’08: Proceed-ings of the 24th Annual Computer Security Ap-plications Conference, pages 355–364, December2008.

A Pseudo-Code of DeWare De-tection Algorithm

B Evaluation of Commercially-Available Security Products

C Accessible Area For FirefoxBrowser

14

Product Driver EngineVersion

Definition Reaction

360 Safeguard v3.0 2008-6-16 No detection360 v6.0.1 2008-6-16 No detection360 v6.0.1 2009-10-27 No detection360 v6.0.2 2009-10-14 Detected heap spray attack, shut-

down iexplorer.exeZonealarm Pro 7.0.483 Anti-spyware engine 5.0.189 Captured .exe trying to access In-

ternet; user clicked “Deny”; but.exe was still downloaded

8.0.400 Anti-spyware engine 5.0.2099.1.008 Anti-spyware engine 9.1.008

Trend Micro In-ternet SecurityPro

v8.952 Pattern version 6.289 No detection

Pattern version 6.587.50 2009-10-29

No detection

Microsoft Secu-rity Essentials

Virus Definition 1.69.825, Spy-ware Definition 1.69.825 2009-11-11

Detected threats; user clicked“Clean the threat”; but .exe fileswere still downloaded

AVG InternetSecurity

v8.5.423 Virus DB 270.14.20 2009-03 Threats detected; page blocked

v9.0.707 Virus DB 270.14.68/2507 2009-11-16

Detected threats; page blocked

McAfee v8.1 Build8.1.175

VirusScan v12.1, 2009-10-28,Personal Firewall v9.1 2009-10-28, Anti-Spam v9.1 2009-10-29

Buffer overflow attack captured

Kaspersky Inter-net Security

v7.0 Database 2007-10-1 Detect suspicious “Data Execu-tion”

Table 3: Comparison of security products’ effectiveness against IE 7 XML DBD attack.

\DocumentsandSettings\dyao\LocalSettings\Temp\\DocumentsandSettings\dyao\ApplicationData\Mozilla\Firefox\Profiles\\DocumentsandSettings\user\LocalSettings\ApplicationData\Mozilla\Firefox\MozillaFirefox\\DocumentsandSettings\user\LocalSettings\ApplicationData\Mozilla\Firefox\Profiles\\ProgramFiles\MozillaFirefox\\DocumentsandSettings\user\ApplicationData\Macromedia\FlashPlayer\\WINDOWS\system32\Macromed\Flash\\DocumentsandSettings\user\ApplicationData\Adobe\FlashPlayer\\DocumentsandSettings\user\ApplicationData\Adobe\Acrobat\\DocumentsandSettings\AllUsers\ApplicationData\Adobe\Reader\\ProgramFiles\CommonFiles\Adobe\\DocumentsandSettings\AllUsers\ApplicationData\Real\\WINDOWS\Tasks\RealUpgradeScheduledTaskS\WINDOWS\Tasks\RealUpgradeLogonTaskS\DocumentsandSettings\user\ApplicationData\Sun\Java\\DocumentsandSettings\user\LocalSettings\ApplicationData\Microsoft\WindowsMedia\\DocumentsandSettings\user\LocalSettings\TemporaryInternetFiles\\DocumentsandSettings\user\Cookies\

15

Require:

File creation events filtered from I/O request packets:

, , ,… …, , … …

Process creation events from system built-in security auditing:

, , ,… …, , … …

Result: alert if safety policy violated

#Define

Threshhold: T

T = latency between user input and corresponding file creation

A set of high-risk file extensions: Hi-risk

Hi-risk = {.bat, .cmd, .exe, .js, … …}

Accessible area: A-area

A-area = {C:\....\Local Settings\Temp,

C:\... \Local Settings\Temporary Internet Files, … …}

Downloadable area: D-area

D-area = {D:\My Documents\Downloads, … …}

for each do

if Path( ) ∈ A-area

OK

end if

if Path( ) ∈ D-area

if Extension( ) ∈ Hi-risk

if Input-Timestamp( ) ≤ T

OK

end if

Generate an alert

end if

OK

end if

Generate an alert

end for

while (true) do

if Path( ) ∈ A-area or Path( ) ∈ D-area

Generate an alert

end if

end while

Figure 6: Detection algorithm in pseudo-code.

16