Home

BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection

Brian M. Bowen; Pratap Prabhu; Vasileios Kemerlis; Stelios Sidiroglou; Angelos D. Keromytis; Salvatore Stolfo

Title:
BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection
Author(s):
Bowen, Brian M.
Prabhu, Pratap
Kemerlis, Vasileios
Sidiroglou, Stelios
Keromytis, Angelos D.
Stolfo, Salvatore
Date:
Type:
Articles
Department:
Computer Science
Permanent URL:
Part Number:
6307
Book/Journal Title:
Recent Advances in Intrusion Detection: 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010: Proceedings
Book Author:
Jha, Somesh
Publisher:
Springer
Publisher Location:
New York
Abstract:
We introduce BotSwindler, a bait injection system designed to delude and detect crimeware by forcing it to reveal during the exploitation of monitored information. The implementation of BotSwindler relies upon an out-of-host software agent that drives user-like interactions in a virtual machine, seeking to convince malware residing within the guest OS that it has captured legitimate credentials. To aid in the accuracy and realism of the simulations, we propose a low overhead approach, called virtual machine verification, for verifying whether the guest OS is in one of a predefined set of states. We present results from experiments with real credential-collecting malware that demonstrate the injection of monitored financial bait for detecting compromises. Additionally, using a computational analysis and a user study, we illustrate the believability of the simulations and we demonstrate that they are sufficiently human-like. Finally, we provide results from performance measurements to show our approach does not impose a performance burden.
Subject(s):
Computer science
Publisher DOI:
http://dx.doi.org/10.1007/978-3-642-15512-3_7
Item views:
252
Metadata:
text | xml

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use