Title :
Siren: catching evasive malware
Author :
Borders, Kevin ; Zhao, Xin ; Prakash, Atul
Author_Institution :
Dept. of Electr. Eng. & Comput. Sci., Michigan Univ., Ann Arbor, MI
Abstract :
With the growing popularity of anomaly detection systems, which is due partly to the rise in zero-day attacks, a new class of threats have evolved where the attacker mimics legitimate activity to blend in and avoid detection. We propose a new system called Siren that injects crafted human input alongside legitimate user activity to thwart these mimicry attacks. The crafted input is specially designed to trigger a known sequence of network requests, which Siren compares to the actual traffic. It then flags unexpected messages as malicious. Using this method, we were able to detect ten spyware programs that we tested, many of which attempt to blend in with user activity. This paper presents the design, implementation, and evaluation of the Siren activity injection system, as well as a discussion of its potential limitations
Keywords :
security of data; Siren activity injection system; anomaly detection systems; evasive malware; mimicry attacks; spyware programs; zero-day attacks; Collaborative software; Computer hacking; Delay; Humans; Information security; Internet; Intrusion detection; Telecommunication traffic; Testing; Virtual machining;
Conference_Titel :
Security and Privacy, 2006 IEEE Symposium on
Conference_Location :
Berkeley/Oakland, CA
Print_ISBN :
0-7695-2574-1
