Computer Science Technical Reports
CS at VT

User-Behavior Based Detection of Infection Onset

Xu, Kui and Yao, Danfeng(Daphne) and Ma, Qiang and Crowell, Alexander (2010) User-Behavior Based Detection of Infection Onset. Technical Report TR-10-09, Computer Science, Virginia Tech.

Full text available as:
PDF - Requires Adobe Acrobat Reader or other PDF viewer.
paper-dbd.pdf (598118)


A major vector of computer infection is through exploiting software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim’s machine without the user’s permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare for detecting the onset of infection delivered through vulnerable applications. DeWare explores and enforces causal relationships between computer-related human behaviors and system properties, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Besides the concrete DBD detection solution, we also formally define causal relationships between user actions and system events on a host. Identifying and enforcing correct causal relationships have important applications in realizing advanced and secure operating systems. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), as well as 84 malicious websites in the wild. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (< 1%).

Item Type:Departmental Technical Report
Subjects:Computer Science > Operating Systems
Computer Science > Networking
ID Code:1122
Deposited By:XU, KUI
Deposited On:15 October 2010