WO2014185770A1 - Method and system for detecting keylogger - Google Patents
Method and system for detecting keylogger Download PDFInfo
- Publication number
- WO2014185770A1 WO2014185770A1 PCT/MY2014/000086 MY2014000086W WO2014185770A1 WO 2014185770 A1 WO2014185770 A1 WO 2014185770A1 MY 2014000086 W MY2014000086 W MY 2014000086W WO 2014185770 A1 WO2014185770 A1 WO 2014185770A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application
- information
- buffer
- record
- duplication
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
Definitions
- the invention relates to a method and system for detecting a keylogger.
- Computer safety and security is an issue of concern for many, from businesses that use computers to perform financial transactions, to personal users who send email messages and keep in touch with friends.
- Keyloggers are physical devices or computer programs that record keystrokes, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. These present concerns for computer privacy and the security of digital information as they can capture information without the user's knowledge enabling password and valuable information to be stolen.
- An aim of the invention is to provide a method of detecting a keylogger which requires less CPU resources.
- a method for detecting a keylogger comprising the steps of:
- the further analysis comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
- the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the associated processes and files are reported as relating to a keylogger.
- the system call requests relating to the keyboard buffer are recorded, wherein if any suspicious behaviour is identified through monitoring the application log for duplication of information, the system inserts bait for a keylogger in the form of a data pattern in the keyboard buffer. If the bait is duplicated by an application which is not related according to the application log, the system confirms that a keylogger has been detected.
- the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
- the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value. Typically if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications.
- the data pattern is randomly generated. The data pattern acts as unique bait for a keylogger so any duplication thereof can be easily identified.
- a program watcher for hooking a system call request when an application requests to read or write in memory through an operating system
- said program watcher checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
- a buffer writer for processing the further analysis, comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
- the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the buffer writer reports that the associated processes and files relate to a keylogger.
- the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
- the data pattern is a randomly generated string of characters or other dummy data.
- the program watcher resides within a kernel level.
- the program verifier and buffer writer are located within a protected area.
- Figure 1 illustrates a schematic view of system for detecting a keylogger according to an embodiment of the invention.
- Figure 2 illustrates an extract from the application log according to the system of Figure 1.
- Figures 3-5 illustrate a schematic view of a method for detecting a keylogger according to an embodiment of the invention.
- the first module is Program Watcher 1 10 which resides in the kernel level 1 1 1.
- the second and third modules are Program Verifier 105 and Buffer Writer 104 respectively which are located in a Protected Area 107 or security filesystem.
- the characters are sent to a keyboard buffer 1 12.
- the hardware layer 1 13 interfaces with the kernel layer 1 1 1 , which connects to the operating system 108.
- the operating system interfaces with applications 102, 103 in the application layer 101.
- Program Watcher 1 10 starts by an application request 201 to read or write in memory through the operating system 108.
- the kernel receives 202 a system call request from the operating system.
- the program watcher 1 10 then hooks 203 the system call request from the application and checks 204 the address of the buffer requested by the application. If the address is found 205 to be within the keyboard buffer 1 12 address, Program Watcher 1 10 inserts 207 information which is related to the system call requested by the application such as parent process ID, process ID, buffer address, application name and application hash as a record inside the Application Log 106. Otherwise the address is ignored 206.
- An example extract from the Application Log is illustrated in Figure 2, wherein the records are shown as rows in a table.
- Program Watcher 1 10 ends after it inserts the related information inside the Application Log 106. It starts again for hooks any application which requests to read and write to the related buffer and write all related information inside the Application Log 106.
- Program Verifier 105 reads 208 data in the Application Log and checks 209 for any duplication of keyboard buffer address. If it finds 210 any duplication address of the buffer in the Application Log 106, it further checks 21 1 for the application process ID (PID), application name and application hash value. If Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process IDs and hash value to be further analyses by Buffer Writer 104. With additional reference to Figure 5, Buffer Writer 104 generates 216 a random data pattern and sends 217 it to the related keyboard buffer address.
- PID application process ID
- Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process
- Program Watcher 1 10 then hooks 218 the Buffer Writer 104 process and, recognizing that it is from the Buffer Writer 104, records the keyboard buffer address. If the keylogger application reads the keyboard buffer address (bait), Program Watcher 1 10 hooks the requests and writes 219 all the information such as parent process ID (PPID), process ID (PID), Buffer address (buff addr), application name (app name), application hash (app hash) and sets the flag to 1 inside the Application Log. Buffer Writer 104 verifies 220 every suspected process hash value and flag with a value of 1 in the Application Log. If Buffer Writer 104 finds 221 the related hash value in the Application Log, it retrieves 222 all the parent process ID and process ID.
- PID parent process ID
- PID process ID
- Buffer address buffer address
- application name app name
- app hash application hash
- Buffer Writer 104 then gets 223 all the process ID under the same parent process ID and reads 224 the content of all related files under the same parent process ID. If Buffer Writer 104 finds 225 the data pattern inside the keylogger file, it reports 226 the detected keylogger application to the Operating System.
- a keylogger can be detected with minimal load on system resources, as only the potential risks identified in the application log need to be checked. It will be appreciated by persons skilled in the art that the present invention may also include further additional modifications made to the system which does not affect the overall functioning of the system.
Abstract
A method and system for detecting a keylogger wherein details from the system call requests (201) relating to the keyboard buffer (112) are recorded, and if any suspicious behaviour is identified through monitoring (209) the application log (106) for duplication of information, the system inserts (217) a data pattern as bait into the keyboard buffer such that if the bait is duplicated by an unrelated application, the system confirms (226) that a keylogger has been detected.
Description
METHOD AND SYSTEM FOR DETECTING KEYLOGGER
Field of Invention
The invention relates to a method and system for detecting a keylogger.
Background
Computer safety and security is an issue of concern for many, from businesses that use computers to perform financial transactions, to personal users who send email messages and keep in touch with friends.
Keyloggers are physical devices or computer programs that record keystrokes, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. These present concerns for computer privacy and the security of digital information as they can capture information without the user's knowledge enabling password and valuable information to be stolen.
Traditionally, keyloggers can be detected through system scanning processes. However, such methods tend use lots of CPU power and resources.
An aim of the invention is to provide a method of detecting a keylogger which requires less CPU resources.
Summary of Invention
In an aspect of the invention, there is provided a method for detecting a keylogger comprising the steps of:
hooking a system call request when an application requests to read or write in memory through an operating system;
checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
reading the application log and checking for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis;
the further analysis comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the associated processes and files are reported as relating to a keylogger.
Thus only the system call requests relating to the keyboard buffer are recorded, wherein if any suspicious behaviour is identified through monitoring the application log for duplication of information, the system inserts bait for a keylogger in the form of a data pattern in the keyboard buffer. If the bait is duplicated by an application which is not related according to the application log, the system confirms that a keylogger has been detected.
Advantageously few CPU resources are required as only the records in the application log need to be checked, rather than all system processes.
In one embodiment the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID. In one embodiment the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value. Typically if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications.
In one embodiment the data pattern is randomly generated. The data pattern acts as unique bait for a keylogger so any duplication thereof can be easily identified. In a further aspect of the invention, there is provided a system for detecting a keylogger comprising:
a program watcher for hooking a system call request when an application requests to read or write in memory through an operating system;
said program watcher checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
a program verifier for reading the application log and checking for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis; and
a buffer writer for processing the further analysis, comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the buffer writer reports that the associated processes and files relate to a keylogger.
In one embodiment the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
In one embodiment the data pattern is a randomly generated string of characters or other dummy data.
In one embodiment the program watcher resides within a kernel level. Typically the program verifier and buffer writer are located within a protected area.
Brief Description of Drawings
It will be convenient to further describe the present invention with respect to the accompanying drawings that illustrate possible arrangements of the invention. Other arrangements of the invention are possible, and consequently the particularity of the accompanying drawings is not to be understood as superseding the generality of the preceding description of the invention.
Figure 1 illustrates a schematic view of system for detecting a keylogger according to an embodiment of the invention.
Figure 2 illustrates an extract from the application log according to the system of Figure 1.
Figures 3-5 illustrate a schematic view of a method for detecting a keylogger according to an embodiment of the invention.
Detailed Description
With reference to Figure 1 , there is illustrated a schematic view of an embodiment of the invention, with three main modules. The first module is Program Watcher 1 10 which resides in the kernel level 1 1 1. The second and third modules are Program Verifier 105 and Buffer Writer 104 respectively which are located in a Protected Area 107 or security filesystem.
When a user types on their keyboard 109, the characters are sent to a keyboard buffer 1 12. The hardware layer 1 13 interfaces with the kernel layer 1 1 1 , which connects to the operating system 108. In turn the operating system interfaces with applications 102, 103 in the application layer 101.
With reference to Figure 3, the process cycle of Program Watcher 1 10 starts by an application request 201 to read or write in memory through the operating system 108. The kernel receives 202 a system call request from the operating system. The program watcher 1 10 then hooks 203 the system call request from the application and checks 204 the address of the buffer requested by the application.
If the address is found 205 to be within the keyboard buffer 1 12 address, Program Watcher 1 10 inserts 207 information which is related to the system call requested by the application such as parent process ID, process ID, buffer address, application name and application hash as a record inside the Application Log 106. Otherwise the address is ignored 206. An example extract from the Application Log is illustrated in Figure 2, wherein the records are shown as rows in a table.
The process cycle of Program Watcher 1 10 ends after it inserts the related information inside the Application Log 106. It starts again for hooks any application which requests to read and write to the related buffer and write all related information inside the Application Log 106.
With reference to Figure 4, Program Verifier 105 reads 208 data in the Application Log and checks 209 for any duplication of keyboard buffer address. If it finds 210 any duplication address of the buffer in the Application Log 106, it further checks 21 1 for the application process ID (PID), application name and application hash value. If Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process IDs and hash value to be further analyses by Buffer Writer 104.
With additional reference to Figure 5, Buffer Writer 104 generates 216 a random data pattern and sends 217 it to the related keyboard buffer address. Program Watcher 1 10 then hooks 218 the Buffer Writer 104 process and, recognizing that it is from the Buffer Writer 104, records the keyboard buffer address. If the keylogger application reads the keyboard buffer address (bait), Program Watcher 1 10 hooks the requests and writes 219 all the information such as parent process ID (PPID), process ID (PID), Buffer address (buff addr), application name (app name), application hash (app hash) and sets the flag to 1 inside the Application Log. Buffer Writer 104 verifies 220 every suspected process hash value and flag with a value of 1 in the Application Log. If Buffer Writer 104 finds 221 the related hash value in the Application Log, it retrieves 222 all the parent process ID and process ID. Buffer Writer 104 then gets 223 all the process ID under the same parent process ID and reads 224 the content of all related files under the same parent process ID. If Buffer Writer 104 finds 225 the data pattern inside the keylogger file, it reports 226 the detected keylogger application to the Operating System.
Hence a keylogger can be detected with minimal load on system resources, as only the potential risks identified in the application log need to be checked.
It will be appreciated by persons skilled in the art that the present invention may also include further additional modifications made to the system which does not affect the overall functioning of the system.
Claims
1. A method for detecting a keylogger comprising the steps of:
hooking (203) a system call request when an application requests (201) to read or write in memory through an operating system;
checking (204) the system call request such that if the requested address relates to that of the keyboard buffer (1 12), information relating to the system call request is stored as a record in an application log (106);
reading (208) the application log and checking (209) for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis;
the further analysis comprising generating (216) a data pattern and sending
(217) it to the keyboard buffer address, the record relating thereto being flagged in the application log (106);
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked
(224) such that if the data pattern is found (225) therein the associated processes and files are reported (226) as relating to a keylogger.
A method according to claim 1 wherein the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
3. A method according to claim 2 wherein the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value.
4. A method according to claim 3 wherein if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications.
5. A method according to claim 1 wherein the data pattern is randomly generated.
6. A system for detecting a keylogger comprising:
a program watcher (1 10) for hooking (203) a system call request when an application requests to read or write in memory through an operating system;
said program watcher checking (204) the system call request such that if the requested address relates to that of the keyboard buffer (1 12), information relating to the system call request is stored as a record in an application log (106);
a program verifier (105) for reading (208) the application log and checking (209) for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis; and
a buffer writer (104) for processing the further analysis, comprising generating (216) a data pattern and sending (217) it to the keyboard buffer address, the record relating thereto being flagged in the application log (106);
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked (224) such that if the data pattern is found (225) therein the buffer writer reports (226) that the associated processes and files relate to a keylogger.
A system according to claim 6 wherein the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
A system according to claim 6 wherein the data pattern is a randomly generated string of characters.
A system according to claim 6 wherein the program watcher resides within a kernel level and the program verifier and buffer writer are located within a protected area.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
MYPI2013001813A MY184389A (en) | 2013-05-17 | 2013-05-17 | Method and system for detecting keylogger |
MYPI2013001813 | 2013-05-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014185770A1 true WO2014185770A1 (en) | 2014-11-20 |
Family
ID=50943509
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/MY2014/000086 WO2014185770A1 (en) | 2013-05-17 | 2014-04-29 | Method and system for detecting keylogger |
Country Status (2)
Country | Link |
---|---|
MY (1) | MY184389A (en) |
WO (1) | WO2014185770A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070169191A1 (en) * | 2006-01-18 | 2007-07-19 | Greene Michael P | Method and system for detecting a keylogger that encrypts data captured on a computer |
WO2009117445A2 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
US20090241173A1 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
US20090271866A1 (en) * | 2008-04-23 | 2009-10-29 | Lloyd Liske | System and Method for Protecting Against Malware Utilizing Key Loggers |
US7823201B1 (en) * | 2006-03-31 | 2010-10-26 | Trend Micro, Inc. | Detection of key logging software |
-
2013
- 2013-05-17 MY MYPI2013001813A patent/MY184389A/en unknown
-
2014
- 2014-04-29 WO PCT/MY2014/000086 patent/WO2014185770A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070169191A1 (en) * | 2006-01-18 | 2007-07-19 | Greene Michael P | Method and system for detecting a keylogger that encrypts data captured on a computer |
US7823201B1 (en) * | 2006-03-31 | 2010-10-26 | Trend Micro, Inc. | Detection of key logging software |
WO2009117445A2 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
US20090241173A1 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
US20090271866A1 (en) * | 2008-04-23 | 2009-10-29 | Lloyd Liske | System and Method for Protecting Against Malware Utilizing Key Loggers |
Also Published As
Publication number | Publication date |
---|---|
MY184389A (en) | 2021-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11252171B2 (en) | Methods and systems for detecting abnormal user activity | |
CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
Feizollah et al. | A review on feature selection in mobile malware detection | |
US10572694B2 (en) | Event-based display information protection system | |
US8621282B1 (en) | Crash data handling | |
US20190073483A1 (en) | Identifying sensitive data writes to data stores | |
US8826452B1 (en) | Protecting computers against data loss involving screen captures | |
US10986103B2 (en) | Signal tokens indicative of malware | |
US9798981B2 (en) | Determining malware based on signal tokens | |
US9516056B2 (en) | Detecting a malware process | |
US9323930B1 (en) | Systems and methods for reporting security vulnerabilities | |
CN101529366A (en) | Identification and visualization of trusted user interface objects | |
US10225249B2 (en) | Preventing unauthorized access to an application server | |
US20100058479A1 (en) | Method and system for combating malware with keystroke logging functionality | |
CN110268406B (en) | Password security | |
JP2010182019A (en) | Abnormality detector and program | |
CN103218561B (en) | Tamper-proof method and device for protecting browser | |
CN102037472A (en) | Software reputation establishment and monitoring system and method | |
TW201939337A (en) | Behavior recognition, data processing method and apparatus | |
US9292691B1 (en) | Systems and methods for protecting users from website security risks using templates | |
US9774627B2 (en) | Detecting memory-scraping malware | |
JP5381542B2 (en) | Unauthorized access detection device, unauthorized access detection program, and unauthorized access detection method | |
Luo et al. | Real-time detection and prevention of android sms permission abuses | |
US20220198013A1 (en) | Detecting suspicious activation of an application in a computer device | |
GB2535579A (en) | Preventing unauthorized access to an application server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14730605 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14730605 Country of ref document: EP Kind code of ref document: A1 |