SpySaver: using incentives to address spyware
22 Aug 2008-pp 37-42
TL;DR: This paper presents SpySaver - a novel anti-spyware approach that reduces the incentive to deploy spyware, and an initial design of a tool that produces realistic counterfeit information about the browsing patterns of Web users.
Abstract: Despite the many solutions proposed by industry and the research community to address spyware, this problem continues to grow. Many of today's anti-spyware approaches are inspired by techniques used against related security problems, such as worms, DoS attacks, computer viruses, and spam. Although these techniques have been retrofitted to address spyware, they remain ineffective because they rely on the compromised host to detect and remove spyware. Once a host is compromised, attackers often find simple ways to escape spyware detection and removal.This paper presents SpySaver - a novel anti-spyware approach that reduces the incentive to deploy spyware. Our approach does not prevent spyware installations, nor does it recover from them. Instead, SpySaver decreases the value of the information spyware collects by creating counterfeit information. Our goal is to generate enough counterfeit information to devalue the information gathered by spyware to the point that we eliminate the incentive to collect it in the first place. In this paper, we present our approach and an initial design of a tool that produces realistic counterfeit information about the browsing patterns of Web users.
Citations
More filters
22 Sep 2008
TL;DR: This work introduces a more general approach involving localized or customized ID numbers for both card-present and card-not-present transactions and explores four variants of the general idea to spark more discussion and further research in this area.
Abstract: Large-scale data breaches exposing sensitive personal information are becoming commonplace. For numerous reasons, conventional personal (identification) information leaks from databases that store online and/or on-site user transaction data. Collected ID numbers and supporting personal information enable malicious parties to commit large-scale identity fraud. Gates and Slonim (NSPW 2003) proposed the owner-controlled information paradigm to address privacy violations of personal information where users are expected to maintain all their information using a personal device. Rubin and Wright (FC 2001), Molloy et al. (FC 2007), and others explored the use of one-time numbers to address credit card fraud (mostly for online use). However, several other types of ID number are at least as sensitive as credit card numbers. Our fundamental assumption is that collected personal information will eventually be breached. To combat identity fraud under this new environmental attack paradigm, we introduce a more general approach involving localized or customized ID numbers for both card-present and card-not-present transactions. We also explore four variants of the general idea to spark more discussion and further research in this area.
7 citations
01 Jan 2009
TL;DR: A number of techniques to improve the trustworthiness of the web considering the current untrusted environment are proposed and the use of localized ID numbers that are valid only for a particular relying party are proposed.
Abstract: A large number of user PCs are currently infected with different types of malicious software including spyware, keyloggers, and rootkits. In general, any Internet-connected end-host cannot be fully trusted. In addition to this compromised host problem, attacks exploiting usability drawbacks of web services and security tools when used by everyday users, and semantic attacks such as phishing are commonly observed. In the given untrusted environment, traditional threat models which assume trusted end-hosts need to be re-evaluated. We propose a number of techniques to improve the trustworthiness of the web considering the current untrusted environment.
To understand what is expected from regular users for performing sensitive online tasks, we review security requirements of six Canadian online banks, and identified an emerging gap between these requirements and usability. Instead of requiring users to follow an extensive list of security best-practices for online banking, we propose the Mobile Password Authentication (MP-Auth) protocol. Using a trusted personal device (e.g., cellphone) in conjunction with a PC, MP-Auth protects a user's long-term login credentials, and offers transaction integrity assuming the user PC is untrustworthy and the user is unaware of phishing attacks. MP-Auth's security largely depends on user-chosen passwords, which are generally weak. To assist users in generating strong but usable passwords, we propose an Object-based Password (ObPwd) scheme which creates text passwords from user-selected objects, e.g., photos or music files.
As part of the compromised host problem, we further assume that sensitive identity numbers (e.g., Social Insurance Number) will eventually be breached. To reduce the value of compromised credential information to attackers in such a scenario, we propose the use of localized ID numbers that are valid only for a particular relying party. A similar localization approach for banking PINs to prevent exploitation of compromised PINs from intermediate banking switches is also proposed.
6 citations
Cites background from "SpySaver: using incentives to addre..."
...To reduce the value of the collected information by spyware in a PC, SpySaver [228] creates several fake web users on the PC and generates web browsing actions emulating real users with counterfeit information (e....
[...]
25 Dec 2009
TL;DR: A novel spyware detection technique which is based on an abstract characterization of the interests of spyware programs, and monitored two kinds of actions which are general behaviors for spyware, copy-and-paste and transmission, performed by every program.
Abstract: Spyware is a rapidly spreading security issue Traditional spyware detection can mainly be classified into two categories: signature based detection and behavior based detection The former is not able to detect unknown spyware and variants of known spyware The latter fails when spyware attempts to blend in with legitimate behavior This paper presents a novel spyware detection technique which is based on an abstract characterization of the interests of spyware programs For sensitive and critical data, we monitor two kinds of actions which are general behaviors for spyware, copy-and-paste and transmission, performed by every program Then with backward cloud generator we get the interests of every program If the interests of one program are just the sensitive and critical data, we can tell the program is the spyware program The experiment verifies the feasibility of our method
2 citations
Cites methods from "SpySaver: using incentives to addre..."
...[11] presented a tool, SpySaver, which produces realistic counterfeit information about the user’s browsing behaviors....
[...]
01 Dec 2011
TL;DR: This passage takes behaviors and correlation among different behaviors fully into consideration, and employs the Dendritic Cell Algorithm to detect spywares.
Abstract: Spywares' changeable and complex hidden acts and behavior correlation increase the difficulty in detecting Most of current detection methods put emphasis on the hidden characteristics whereas ignore the other Dendritic Cell Algorithm can combine a set of input signals deriving from antigens and classify them In human immune system, the chemokine can stimulate dendritic cells' chemotaxis, guide them to the infected tissue This passage takes behaviors and correlation among different behaviors fully into consideration, and employs the Dendritic Cell Algorithm to detect spywares Moreover, it can make the detection more efficient and accurate that applying chemokine simulator which imitates the function that chemokine does on immune system to drive the DCA and referencing concentration of chemokine into output signals to quicken the trend rate of CSM
1 citations
Cites background from "SpySaver: using incentives to addre..."
...Chemokines control and induce DCs to complete all the steps through acting on different receptor expression profiles of DCs....
[...]
References
More filters
IBM1
TL;DR: A computational technique for combatting junk mail in particular and controlling access to a shared resource in general is presented, which requires a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use.
Abstract: We present a computational technique for combatting junk mail in particular and controlling access to a shared resource in general. The main idea is to require a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use. To this end we suggest several pricing Junctions, based on, respectively, extracting square roots modulo a prime, the Fiat-Shamir signature scheme, and the Ong-Schnorr-Shamir (cracked) signature scheme.
1,416 citations
"SpySaver: using incentives to addre..." refers background in this paper
...Spyware isalsohavingasigni.cant effect onreliability: areportby theFed-eralTradeCommission(FTC) mentions that spywareprograms are responsibleforasmuch as .fty-percent of allWindowscrashesreported toMicrosoft[10]....
[...]
01 Jun 2004
TL;DR: In this article, a certificate profile for proxy certificates based on X.509 public key infrastructure (PKI) certificates is presented for the purpose of providing restricted proxying and delegation within a PKI-based authentication system.
Abstract: This document forms a certificate profile for Proxy Certificates,
based on X.509 Public Key Infrastructure (PKI) certificates as defined
in RFC 3280, for use in the Internet. The term Proxy Certificate is
used to describe a certificate that is derived from, and signed by, a
normal X.509 Public Key End Entity Certificate or by another Proxy
Certificate for the purpose of providing restricted proxying and
delegation within a PKI based authentication system. [STANDARDS-TRACK]
200 citations
21 May 2006
TL;DR: The security evaluation shows that Tahoma can prevent or contain 87% of the vulnerabilities that have been identified in the widely used Mozilla browser, and measurements of latency, throughput, and responsiveness demonstrate that users need not sacrifice performance for the benefits of stronger isolation and safety.
Abstract: This paper describes the architecture and implementation of the Tahoma Web browsing system. Key to Tahoma is the browser operating system (BOS), a new trusted software layer on which Web browsers execute. The benefits of this architecture are threefold. First, the BOS runs the client-side component of each Web application (e.g., on-line banking, Web mail) in its own virtual machine. This provides strong isolation between Web services and the user's local resources. Second, Tahoma lets Web publishers limit the scope of their Web applications by specifying which URLs and other resources their browsers are allowed to access. This limits the harm that can be caused by a compromised browser. Third, Tahoma treats Web applications as first-class objects that users explicitly install and manage, giving them explicit knowledge about and control over downloaded content and code. We have implemented a prototype of Tahoma using Linux and the Xen virtual machine monitor. Our security evaluation shows that Tahoma can prevent or contain 87% of the vulnerabilities that have been identified in the widely used Mozilla browser. In addition, our measurements of latency, throughput, and responsiveness demonstrate that users need not sacrifice performance for the benefits of stronger isolation and safety.
168 citations
"SpySaver: using incentives to addre..." refers background in this paper
...Categories andSubject Descriptors D.4.6[OperatingSystems]:SecurityandProtection Invasive software GeneralTerms Economics,Security Keywords Spyware 1....
[...]
Proceedings Article•
01 Jan 2004TL;DR: By examining four widespread programs (Gator, Cydoor, SaveNow, and eZula), a detailed analysis of their behavior is presented, from which signatures that can be used to detect their presence on remote computers through passive network monitoring are derived.
Abstract: Over the past few years, a relatively new computing phenomenon has gained momentum: the spread of “spyware.” Though most people are aware of spyware, the research community has spent little effort to understand its nature, how widespread it is, and the risks it presents. This paper is a first attempt to do so. We first discuss background material on spyware, including the various types of spyware programs, their methods of transmission, and their run-time behavior. By examining four widespread programs (Gator, Cydoor, SaveNow, and eZula), we present a detailed analysis of their behavior, from which we derive signatures that can be used to detect their presence on remote computers through passive network monitoring. Using these signatures, we quantify the spread of these programs among hosts within the University of Washington by analyzing a week-long trace of network activity. This trace was gathered from August 26th to September 1st, 2003. From this trace, we show that: (1) these four programs affect approximately 5.1% of active hosts on campus, (2) many computers that contain spyware have more than one spyware program running on them concurrently, and (3) 69% of organizations within the university contain at least one host running spyware. We conclude by discussing security implications of spyware and specific vulnerabilities we found within versions of two of these spyware programs.
115 citations
Proceedings Article•
19 Nov 2004TL;DR: By monitoring and grouping "hooking" operations made to the ASEPs, the Gatekeeper solution complements the traditional signature-based approach and provides a comprehensive framework for spyware management.
Abstract: Spyware is a rapidly spreading problem for PC users causing significant impact on system stability and privacy concerns. It attaches to extensibility points in the system to ensure the spyware will be instantiated when the system starts. Users may willingly install free versions of software containing spyware as an alternative to paying for it. Traditional anti-virus techniques are less effective in this scenario because they lack the context to decide if the spyware should be removed.In this paper, we introduce Auto-Start Extensibility Points (ASEPs) as the key concept for modeling the spyware problem. By monitoring and grouping "hooking" operations made to the ASEPs, our Gatekeeper solution complements the traditional signature-based approach and provides a comprehensive framework for spyware management. We present ASEP hooking statistics for 120 real-world spyware programs. We also describe several techniques for discovering new ASEPs to further enhance the effectiveness of our solution.
95 citations