JISE


  [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ]


Journal of Information Science and Engineering, Vol. 33 No. 2, pp. 445-461


An Online Approach for Kernel-level Keylogger Detection and Defense


DONGHAI TIAN1,2, XIAOQI JIA2,3, JUNHUA CHEN4,+ AND CHANGZHEN HU1
1
Beijing Key Laboratory of Software Security Engineering Technique
Beijing Institute of
Technology
Bei
jing, 100081 China
2Key Laboratory of Network Assessment Technology, Institute of Information Engineering
Chinese Academy of Sciences
Bei
jing, 100093 China
3University of Chinese Academy of Sciences
Bei
jing, 100049 China
4Key Laboratory of IOT Application Technology of Universities in Yunnan Province
Yunnan Minzu University
Kunming,
650500 China
E-mail: chenjunhuabj@163.com


    Keyloggers have been studied for many years, but they still pose a severe threat to information security. Keyloggers can record highly sensitive information, and then transfer it to remote attackers. Previous solutions suffer from limitations in that: (1) Most methods focus on user-level keylogger detection; (2) Some methods need to modify OS kernels; (3) Most methods can be bypassed when the OS kernel is compromised. In this paper, we present LAKEED, an online defense against the kernel-level keylogger by utilizing the hardware assisted virtualization technology. Our system is compatible with the commodity operating system, and it can protect the running OS transparently. The basic idea of our approach is to isolate the target kernel extension that may contain the key- logger from keyboard drivers’ execution environment and then monitor their potential interactions. By comparing the runtime information with the execution baseline that is obtained by the offline analysis, the keylogger can be identified. The evaluation shows that LAKEED can defeat kernel-level keyloggers effectively with low performance overhead.


Keywords: keylogger detection, virtualization, OS kernel, on-the-fly, driver

  Retrieve PDF document (JISE_201702_10.pdf)