WO2014185770A1 - Method and system for detecting keylogger - Google Patents

Method and system for detecting keylogger Download PDF

Info

Publication number
WO2014185770A1
WO2014185770A1 PCT/MY2014/000086 MY2014000086W WO2014185770A1 WO 2014185770 A1 WO2014185770 A1 WO 2014185770A1 MY 2014000086 W MY2014000086 W MY 2014000086W WO 2014185770 A1 WO2014185770 A1 WO 2014185770A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
information
buffer
record
duplication
Prior art date
Application number
PCT/MY2014/000086
Other languages
French (fr)
Inventor
Mohd Faizal Bin MUBARAK
Zaid Bin AHMAD
Mohd Firdaus Bin MOHD RASIDI
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014185770A1 publication Critical patent/WO2014185770A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof

Definitions

  • the invention relates to a method and system for detecting a keylogger.
  • Computer safety and security is an issue of concern for many, from businesses that use computers to perform financial transactions, to personal users who send email messages and keep in touch with friends.
  • Keyloggers are physical devices or computer programs that record keystrokes, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. These present concerns for computer privacy and the security of digital information as they can capture information without the user's knowledge enabling password and valuable information to be stolen.
  • An aim of the invention is to provide a method of detecting a keylogger which requires less CPU resources.
  • a method for detecting a keylogger comprising the steps of:
  • the further analysis comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
  • the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the associated processes and files are reported as relating to a keylogger.
  • the system call requests relating to the keyboard buffer are recorded, wherein if any suspicious behaviour is identified through monitoring the application log for duplication of information, the system inserts bait for a keylogger in the form of a data pattern in the keyboard buffer. If the bait is duplicated by an application which is not related according to the application log, the system confirms that a keylogger has been detected.
  • the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
  • the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value. Typically if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications.
  • the data pattern is randomly generated. The data pattern acts as unique bait for a keylogger so any duplication thereof can be easily identified.
  • a program watcher for hooking a system call request when an application requests to read or write in memory through an operating system
  • said program watcher checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
  • a buffer writer for processing the further analysis, comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
  • the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the buffer writer reports that the associated processes and files relate to a keylogger.
  • the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
  • the data pattern is a randomly generated string of characters or other dummy data.
  • the program watcher resides within a kernel level.
  • the program verifier and buffer writer are located within a protected area.
  • Figure 1 illustrates a schematic view of system for detecting a keylogger according to an embodiment of the invention.
  • Figure 2 illustrates an extract from the application log according to the system of Figure 1.
  • Figures 3-5 illustrate a schematic view of a method for detecting a keylogger according to an embodiment of the invention.
  • the first module is Program Watcher 1 10 which resides in the kernel level 1 1 1.
  • the second and third modules are Program Verifier 105 and Buffer Writer 104 respectively which are located in a Protected Area 107 or security filesystem.
  • the characters are sent to a keyboard buffer 1 12.
  • the hardware layer 1 13 interfaces with the kernel layer 1 1 1 , which connects to the operating system 108.
  • the operating system interfaces with applications 102, 103 in the application layer 101.
  • Program Watcher 1 10 starts by an application request 201 to read or write in memory through the operating system 108.
  • the kernel receives 202 a system call request from the operating system.
  • the program watcher 1 10 then hooks 203 the system call request from the application and checks 204 the address of the buffer requested by the application. If the address is found 205 to be within the keyboard buffer 1 12 address, Program Watcher 1 10 inserts 207 information which is related to the system call requested by the application such as parent process ID, process ID, buffer address, application name and application hash as a record inside the Application Log 106. Otherwise the address is ignored 206.
  • An example extract from the Application Log is illustrated in Figure 2, wherein the records are shown as rows in a table.
  • Program Watcher 1 10 ends after it inserts the related information inside the Application Log 106. It starts again for hooks any application which requests to read and write to the related buffer and write all related information inside the Application Log 106.
  • Program Verifier 105 reads 208 data in the Application Log and checks 209 for any duplication of keyboard buffer address. If it finds 210 any duplication address of the buffer in the Application Log 106, it further checks 21 1 for the application process ID (PID), application name and application hash value. If Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process IDs and hash value to be further analyses by Buffer Writer 104. With additional reference to Figure 5, Buffer Writer 104 generates 216 a random data pattern and sends 217 it to the related keyboard buffer address.
  • PID application process ID
  • Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process
  • Program Watcher 1 10 then hooks 218 the Buffer Writer 104 process and, recognizing that it is from the Buffer Writer 104, records the keyboard buffer address. If the keylogger application reads the keyboard buffer address (bait), Program Watcher 1 10 hooks the requests and writes 219 all the information such as parent process ID (PPID), process ID (PID), Buffer address (buff addr), application name (app name), application hash (app hash) and sets the flag to 1 inside the Application Log. Buffer Writer 104 verifies 220 every suspected process hash value and flag with a value of 1 in the Application Log. If Buffer Writer 104 finds 221 the related hash value in the Application Log, it retrieves 222 all the parent process ID and process ID.
  • PID parent process ID
  • PID process ID
  • Buffer address buffer address
  • application name app name
  • app hash application hash
  • Buffer Writer 104 then gets 223 all the process ID under the same parent process ID and reads 224 the content of all related files under the same parent process ID. If Buffer Writer 104 finds 225 the data pattern inside the keylogger file, it reports 226 the detected keylogger application to the Operating System.
  • a keylogger can be detected with minimal load on system resources, as only the potential risks identified in the application log need to be checked. It will be appreciated by persons skilled in the art that the present invention may also include further additional modifications made to the system which does not affect the overall functioning of the system.

Abstract

A method and system for detecting a keylogger wherein details from the system call requests (201) relating to the keyboard buffer (112) are recorded, and if any suspicious behaviour is identified through monitoring (209) the application log (106) for duplication of information, the system inserts (217) a data pattern as bait into the keyboard buffer such that if the bait is duplicated by an unrelated application, the system confirms (226) that a keylogger has been detected.

Description

METHOD AND SYSTEM FOR DETECTING KEYLOGGER
Field of Invention
The invention relates to a method and system for detecting a keylogger.
Background
Computer safety and security is an issue of concern for many, from businesses that use computers to perform financial transactions, to personal users who send email messages and keep in touch with friends.
Keyloggers are physical devices or computer programs that record keystrokes, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. These present concerns for computer privacy and the security of digital information as they can capture information without the user's knowledge enabling password and valuable information to be stolen.
Traditionally, keyloggers can be detected through system scanning processes. However, such methods tend use lots of CPU power and resources. An aim of the invention is to provide a method of detecting a keylogger which requires less CPU resources.
Summary of Invention
In an aspect of the invention, there is provided a method for detecting a keylogger comprising the steps of:
hooking a system call request when an application requests to read or write in memory through an operating system;
checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
reading the application log and checking for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis;
the further analysis comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the associated processes and files are reported as relating to a keylogger. Thus only the system call requests relating to the keyboard buffer are recorded, wherein if any suspicious behaviour is identified through monitoring the application log for duplication of information, the system inserts bait for a keylogger in the form of a data pattern in the keyboard buffer. If the bait is duplicated by an application which is not related according to the application log, the system confirms that a keylogger has been detected.
Advantageously few CPU resources are required as only the records in the application log need to be checked, rather than all system processes.
In one embodiment the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID. In one embodiment the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value. Typically if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications. In one embodiment the data pattern is randomly generated. The data pattern acts as unique bait for a keylogger so any duplication thereof can be easily identified. In a further aspect of the invention, there is provided a system for detecting a keylogger comprising:
a program watcher for hooking a system call request when an application requests to read or write in memory through an operating system;
said program watcher checking the system call request such that if the requested address relates to that of the keyboard buffer, information relating to the system call request is stored as a record in an application log;
a program verifier for reading the application log and checking for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis; and
a buffer writer for processing the further analysis, comprising generating a data pattern and sending it to the keyboard buffer address, the record relating thereto being flagged in the application log;
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked such that if the data pattern is found therein the buffer writer reports that the associated processes and files relate to a keylogger. In one embodiment the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
In one embodiment the data pattern is a randomly generated string of characters or other dummy data.
In one embodiment the program watcher resides within a kernel level. Typically the program verifier and buffer writer are located within a protected area.
Brief Description of Drawings
It will be convenient to further describe the present invention with respect to the accompanying drawings that illustrate possible arrangements of the invention. Other arrangements of the invention are possible, and consequently the particularity of the accompanying drawings is not to be understood as superseding the generality of the preceding description of the invention.
Figure 1 illustrates a schematic view of system for detecting a keylogger according to an embodiment of the invention.
Figure 2 illustrates an extract from the application log according to the system of Figure 1. Figures 3-5 illustrate a schematic view of a method for detecting a keylogger according to an embodiment of the invention.
Detailed Description
With reference to Figure 1 , there is illustrated a schematic view of an embodiment of the invention, with three main modules. The first module is Program Watcher 1 10 which resides in the kernel level 1 1 1. The second and third modules are Program Verifier 105 and Buffer Writer 104 respectively which are located in a Protected Area 107 or security filesystem.
When a user types on their keyboard 109, the characters are sent to a keyboard buffer 1 12. The hardware layer 1 13 interfaces with the kernel layer 1 1 1 , which connects to the operating system 108. In turn the operating system interfaces with applications 102, 103 in the application layer 101.
With reference to Figure 3, the process cycle of Program Watcher 1 10 starts by an application request 201 to read or write in memory through the operating system 108. The kernel receives 202 a system call request from the operating system. The program watcher 1 10 then hooks 203 the system call request from the application and checks 204 the address of the buffer requested by the application. If the address is found 205 to be within the keyboard buffer 1 12 address, Program Watcher 1 10 inserts 207 information which is related to the system call requested by the application such as parent process ID, process ID, buffer address, application name and application hash as a record inside the Application Log 106. Otherwise the address is ignored 206. An example extract from the Application Log is illustrated in Figure 2, wherein the records are shown as rows in a table.
The process cycle of Program Watcher 1 10 ends after it inserts the related information inside the Application Log 106. It starts again for hooks any application which requests to read and write to the related buffer and write all related information inside the Application Log 106.
With reference to Figure 4, Program Verifier 105 reads 208 data in the Application Log and checks 209 for any duplication of keyboard buffer address. If it finds 210 any duplication address of the buffer in the Application Log 106, it further checks 21 1 for the application process ID (PID), application name and application hash value. If Program Verifier 105 finds 212 different process ID, application name and application hash trying to access the same buffer, it further checks 213 for the parent process ID. If Program Verifier 105 finds 214 different parent process ID trying to access the same buffer, it provides 215 suspected process IDs and hash value to be further analyses by Buffer Writer 104. With additional reference to Figure 5, Buffer Writer 104 generates 216 a random data pattern and sends 217 it to the related keyboard buffer address. Program Watcher 1 10 then hooks 218 the Buffer Writer 104 process and, recognizing that it is from the Buffer Writer 104, records the keyboard buffer address. If the keylogger application reads the keyboard buffer address (bait), Program Watcher 1 10 hooks the requests and writes 219 all the information such as parent process ID (PPID), process ID (PID), Buffer address (buff addr), application name (app name), application hash (app hash) and sets the flag to 1 inside the Application Log. Buffer Writer 104 verifies 220 every suspected process hash value and flag with a value of 1 in the Application Log. If Buffer Writer 104 finds 221 the related hash value in the Application Log, it retrieves 222 all the parent process ID and process ID. Buffer Writer 104 then gets 223 all the process ID under the same parent process ID and reads 224 the content of all related files under the same parent process ID. If Buffer Writer 104 finds 225 the data pattern inside the keylogger file, it reports 226 the detected keylogger application to the Operating System.
Hence a keylogger can be detected with minimal load on system resources, as only the potential risks identified in the application log need to be checked. It will be appreciated by persons skilled in the art that the present invention may also include further additional modifications made to the system which does not affect the overall functioning of the system.

Claims

1. A method for detecting a keylogger comprising the steps of:
hooking (203) a system call request when an application requests (201) to read or write in memory through an operating system;
checking (204) the system call request such that if the requested address relates to that of the keyboard buffer (1 12), information relating to the system call request is stored as a record in an application log (106);
reading (208) the application log and checking (209) for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis;
the further analysis comprising generating (216) a data pattern and sending
(217) it to the keyboard buffer address, the record relating thereto being flagged in the application log (106);
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked
(224) such that if the data pattern is found (225) therein the associated processes and files are reported (226) as relating to a keylogger.
A method according to claim 1 wherein the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
3. A method according to claim 2 wherein the application log is checked for duplication of information by checking the records for duplication of the buffer address, and if found, checking the records identified for differences in the application process ID, application name and/or application hash value.
4. A method according to claim 3 wherein if differences are found in the application process ID, application name and/or application hash value, the parent process ID is checked to determine if the identified records are from unrelated applications.
5. A method according to claim 1 wherein the data pattern is randomly generated.
6. A system for detecting a keylogger comprising:
a program watcher (1 10) for hooking (203) a system call request when an application requests to read or write in memory through an operating system;
said program watcher checking (204) the system call request such that if the requested address relates to that of the keyboard buffer (1 12), information relating to the system call request is stored as a record in an application log (106);
a program verifier (105) for reading (208) the application log and checking (209) for any duplication of the information such that if duplication is found from unrelated applications, the relevant records are sent for further analysis; and a buffer writer (104) for processing the further analysis, comprising generating (216) a data pattern and sending (217) it to the keyboard buffer address, the record relating thereto being flagged in the application log (106);
wherein if information in the flagged record is duplicated, the processes and files associated with the record containing the duplicated information are checked (224) such that if the data pattern is found (225) therein the buffer writer reports (226) that the associated processes and files relate to a keylogger.
A system according to claim 6 wherein the information is any or any combination of buffer address, application process ID, application name, application hash, and parent process ID.
A system according to claim 6 wherein the data pattern is a randomly generated string of characters.
A system according to claim 6 wherein the program watcher resides within a kernel level and the program verifier and buffer writer are located within a protected area.
PCT/MY2014/000086 2013-05-17 2014-04-29 Method and system for detecting keylogger WO2014185770A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2013001813A MY184389A (en) 2013-05-17 2013-05-17 Method and system for detecting keylogger
MYPI2013001813 2013-05-17

Publications (1)

Publication Number Publication Date
WO2014185770A1 true WO2014185770A1 (en) 2014-11-20

Family

ID=50943509

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2014/000086 WO2014185770A1 (en) 2013-05-17 2014-04-29 Method and system for detecting keylogger

Country Status (2)

Country Link
MY (1) MY184389A (en)
WO (1) WO2014185770A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070169191A1 (en) * 2006-01-18 2007-07-19 Greene Michael P Method and system for detecting a keylogger that encrypts data captured on a computer
WO2009117445A2 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20090241173A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20090271866A1 (en) * 2008-04-23 2009-10-29 Lloyd Liske System and Method for Protecting Against Malware Utilizing Key Loggers
US7823201B1 (en) * 2006-03-31 2010-10-26 Trend Micro, Inc. Detection of key logging software

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070169191A1 (en) * 2006-01-18 2007-07-19 Greene Michael P Method and system for detecting a keylogger that encrypts data captured on a computer
US7823201B1 (en) * 2006-03-31 2010-10-26 Trend Micro, Inc. Detection of key logging software
WO2009117445A2 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20090241173A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20090271866A1 (en) * 2008-04-23 2009-10-29 Lloyd Liske System and Method for Protecting Against Malware Utilizing Key Loggers

Also Published As

Publication number Publication date
MY184389A (en) 2021-04-01

Similar Documents

Publication Publication Date Title
US11252171B2 (en) Methods and systems for detecting abnormal user activity
CN108268354B (en) Data security monitoring method, background server, terminal and system
Feizollah et al. A review on feature selection in mobile malware detection
US10572694B2 (en) Event-based display information protection system
US8621282B1 (en) Crash data handling
US20190073483A1 (en) Identifying sensitive data writes to data stores
US8826452B1 (en) Protecting computers against data loss involving screen captures
US10986103B2 (en) Signal tokens indicative of malware
US9798981B2 (en) Determining malware based on signal tokens
US9516056B2 (en) Detecting a malware process
US9323930B1 (en) Systems and methods for reporting security vulnerabilities
CN101529366A (en) Identification and visualization of trusted user interface objects
US10225249B2 (en) Preventing unauthorized access to an application server
US20100058479A1 (en) Method and system for combating malware with keystroke logging functionality
CN110268406B (en) Password security
JP2010182019A (en) Abnormality detector and program
CN103218561B (en) Tamper-proof method and device for protecting browser
CN102037472A (en) Software reputation establishment and monitoring system and method
TW201939337A (en) Behavior recognition, data processing method and apparatus
US9292691B1 (en) Systems and methods for protecting users from website security risks using templates
US9774627B2 (en) Detecting memory-scraping malware
JP5381542B2 (en) Unauthorized access detection device, unauthorized access detection program, and unauthorized access detection method
Luo et al. Real-time detection and prevention of android sms permission abuses
US20220198013A1 (en) Detecting suspicious activation of an application in a computer device
GB2535579A (en) Preventing unauthorized access to an application server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14730605

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14730605

Country of ref document: EP

Kind code of ref document: A1