A Cryptographic Provenance Verification Approach For Host-Based Malware Detection

We present a malware detection approach by focusing on the characteristic behaviors of human users. We explore the human-malware differences and utilize them to aid the detection of infected hosts. There are two main research challenges in this study: one is how to select characteristic behavior features, and the other is how to prevent malware forgeries. We address both questions in this paper. A cryptographic provenance verification technique is described. Its two applications are demonstrated in keystrokebased bot identification and rootkit traffic detection. Specifically, we first present our design and implementation of a remote authentication framework called TUBA for monitoring a user’s typing patterns and verifying their integrity. We evaluate the robustness of TUBA through comprehensive experimental evaluation including two series of simulated bots. We then demonstrate our provenance verification approach by realizing a lightweight framework for blocking outbound rootkit-based malware traffic.