US20070169191A1 - Method and system for detecting a keylogger that encrypts data captured on a computer - Google Patents
Method and system for detecting a keylogger that encrypts data captured on a computer Download PDFInfo
- Publication number
- US20070169191A1 US20070169191A1 US11/492,581 US49258106A US2007169191A1 US 20070169191 A1 US20070169191 A1 US 20070169191A1 US 49258106 A US49258106 A US 49258106A US 2007169191 A1 US2007169191 A1 US 2007169191A1
- Authority
- US
- United States
- Prior art keywords
- patterns
- sub
- computer
- memory
- keylogger
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/031—Protect user input by software means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Definitions
- the present invention relates generally to the detection of pestware or malware on computers.
- the present invention relates to methods and systems for detecting keyloggers.
- malware can compromise a user's privacy by sending sensitive information about the user or the user's computer to a remote destination without the user's knowledge or permission.
- malware is commonly referred to as “spyware.”
- spyware a “keylogger,” secretly records a user's keystrokes as the user types on a keyboard and captures the resulting text in a data file, which is often encrypted.
- the keylogger may also secretly send the captured data file to a remote destination by e-mail or some other communication protocol.
- Such a keylogger can be used by a remote party to acquire information such as credit card numbers, social security numbers, and other sensitive information.
- Some anti-pestware programs detect keyloggers by inputting a known, typically repeating, data pattern to the system in a manner that appears to the system to be keyboard input and searching process memory for the known data pattern. This method fails, however, when the keylogger encrypts the data it captures. In that case, the data captured by the keylogger appears to be completely different from the input “decoy” data pattern.
- Some keyloggers also evade detection by writing their memory buffers to a disk file very shortly after capturing a group of keystrokes and flushing their memory buffers.
- the present invention can provide a method and system for identifying a keylogger that encrypts data captured on a computer.
- One illustrative embodiment is a method comprising acquiring a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
- Another illustrative embodiment is a system comprising a data acquisition module configured to acquire first and second samples of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample and to flag the running process as a potential keylogger when the at least one data segment contains a second data pattern that matches the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
- FIG. 1 is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention
- FIG. 2A is an illustration of an input data pattern made up of sub-patterns in accordance with an illustrative embodiment of the invention
- FIG. 2B is an illustration of an encrypted data pattern corresponding to the data pattern shown in FIG. 2A in accordance with an illustrative embodiment of the invention.
- FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer, in accordance with an illustrative embodiment of the invention.
- a keylogger on a computer is detected by inputting to the computer, in a manner mimicking keyboard input, a data pattern that can be recognized in memory despite that data pattern being encrypted and searching the memory for the altered but still-recognizable data pattern.
- “memory” can be any computer storage medium, including, without limitation, random access memory (RAM) and non-volatile storage such as a magnetic disk drive.
- the input data pattern can be rendered recognizable in memory despite encryption by structuring it as a “pattern of repeating sub-patterns.” That is, the input data pattern consists of at least one occurrence of each of a set of distinct sub-patterns (e.g., sub-strings).
- the “pattern of repeating sub-patterns” in the input data pattern can still be recognized within the encrypted data even though the sub-patterns in the input and encrypted data patterns are completely different.
- the running process whose memory has been scanned can be flagged as a potential keylogger.
- a user may be notified that the running process has been flagged as a potential keylogger.
- the above process of injecting a structured data pattern and searching changed process memory for a recognizable encrypted data pattern can be performed multiple times for a given running process.
- FIG. 1 it is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention.
- Computer 100 can be a desktop computer, workstation, laptop computer, notebook computer, handheld computer, or any other device that includes computing functionality.
- processor 105 communicates over data bus 110 with input devices 115 , display 120 , storage device 125 , and memory 130 .
- Input devices 115 may be, for example, a keyboard and a mouse or other pointing device.
- storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however, storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs).
- Memory 130 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof.
- memory 130 contains keylogger detection system 135 and an arbitrary running process 140 .
- Keylogger detection system 135 detects keyloggers on computer 100 and, when appropriate, removes them from computer 100 .
- keylogger detection system 135 is an application program stored on a computer-readable storage medium of computer 100 (e.g., storage device 125 ) that can be loaded into memory 130 and executed by processor 105 .
- the functionality of keylogger detection system 135 can be implemented in software, firmware, hardware, or any combination thereof.
- keylogger detection system 135 has been divided into three functional modules: data acquisition module 145 , data injection module 150 , and analysis module 155 .
- keylogger detection system 135 includes additional user-interface and keylogger-removal modules (not shown in FIG. 1 ) for interacting with a user and removing keyloggers from computer 100 , respectively.
- the functionality of these functional modules may be combined or subdivided in a variety of ways.
- analysis module 155 may be configured to include user-interface and keylogger-removal functionality.
- Data acquisition module 145 is configured to read a portion of the memory of computer 100 associated with a running process 140 .
- the memory read may be executable-program and data memory (e.g., a RAM portion of memory 130 ) associated with running process 140 or non-volatile memory associated with running process 140 such as a disk file on storage device 125 .
- Data injection module 150 is configured to input to computer 100 , in a manner that mimics keyboard input, an input data pattern consisting of one or more occurrences of each of a set of distinct sub-patterns.
- data injection module 150 injects the input data pattern at a time between the acquisition of two separate samples of the memory associated with running process 140 by data acquisition module 145 .
- the staggered-time process memory samples allow analysis module 155 to look for regions of change in the memory associated with a particular running process 140 , narrowing the search for a recognizable data pattern among the encrypted data captured by a keylogger.
- data injection module 150 mimics keyboard input by generating the input data pattern using a driver-level process associated with keylogger detection system 135 and sending the input data pattern to a hidden window (e.g., a one-pixel window) on computer 100 .
- a hidden window e.g., a one-pixel window
- Analysis module 155 is configured to examine samples of memory associated with a given running process 140 that have been acquired by data acquisition module 145 to determine whether a later sample has changed relative to an earlier sample. Once one or more such regions of changed process memory have been identified, analysis module 155 examines those regions for an encrypted data pattern having the same structure (“pattern of repeating sub-patterns”) as the input data pattern. If such an encrypted data pattern is found, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 also alerts a user that running process 140 is a potential keylogger. In other embodiments, keylogger detection system 135 may offer the user the option of removing the suspected keylogger from computer 100 .
- FIG. 2A is an illustration of an input data pattern made up of sub-patterns in. accordance with an illustrative embodiment of the invention.
- Input data pattern 200 may be American Standard Code for Information Interchange (ASCII) text, binary data, or data represented in some other format.
- ASCII American Standard Code for Information Interchange
- input data pattern 200 consists of two repeating sub-patterns, sub-pattern 205 (“ABC”) and sub-pattern 210 (“DEFG”). For clarity, spaces have been added between occurrences of sub-pattern 205 and sub-pattern 210 in FIG. 2A .
- FIG. 2B is an illustration of an encrypted data pattern corresponding to input data pattern 200 shown in FIG. 2A in accordance with an illustrative embodiment of the invention.
- a keylogger has used a block cipher to produce encrypted data pattern 215 , which consists of two repeating sub-patterns, sub-pattern 220 (“123”) and sub-pattern 225 (“4567”). For clarity, spaces have been added between sub-patterns 220 and 225 in FIG. 2B .
- FIGS. 2A and 2B For simplicity, only two distinct sub-patterns are shown in FIGS. 2A and 2B . In other embodiments, more than two distinct sub-patterns are used, and input data pattern 200 is larger than the simplified example shown in FIG. 2A .
- Analysis module 155 can recognize the correspondence between input data pattern 200 and encrypted data pattern 215 by identifying the repeating sub-patterns 220 and 225 in the memory associated with a running process 140 (a keylogger) and verifying that those repeating sub-patterns 220 and 225 satisfy certain further conditions for input data pattern 200 and encrypted data pattern 215 to have the same overall structure (“pattern of repeating sub-patterns”).
- pattern of repeating sub-patterns One condition is that each sub-pattern in encrypted data pattern 215 occur the same number of times in encrypted data pattern 215 as a unique corresponding sub-pattern in input data pattern 200 occurs in input data pattern 200 .
- Another condition is that the sub-patterns in encrypted data pattern 215 occur in the same order as the corresponding unique sub-patterns occur in input data pattern 200 .
- sub-pattern 205 in input data pattern 200 and sub-pattern 220 in encrypted data pattern 215 both occur four times in their respective data patterns.
- sub-pattern 210 in input data pattern 200 and sub-pattern 225 in encrypted data pattern 215 both occur twice. Therefore, the first condition above is satisfied.
- the corresponding sub-patterns that occur with the same frequency in the respective data patterns also appear in the same order in both data patterns.
- both input data pattern 200 and encrypted data pattern 215 have the same overall structure or “pattern of repeating sub-patterns”: “S 1 S 1 S 2 S 2 S 1 S 1 , ” where S 1 and S 2 are distinct sub-patterns. That the sub-patterns are completely different in the two data patterns does not matter because encrypted data pattern 215 can still be recognized, based on its structure of repeating sub-patterns, as being derived from input data pattern 200 .
- FIGS. 2A and 2B The techniques described in connection with FIGS. 2A and 2B are suitable for any keylogger employing a block cipher for encryption.
- One common type of block cipher is electronic-codebook (ECB) encryption.
- EDB electronic-codebook
- More complex types of encryption such as a chain-block cipher, which encodes a given input differently from occurrence to occurrence, are not frequently used by keyloggers.
- Any suitable pattern-recognition techniques including techniques different from those discussed in connection with FIGS. 2A and 2B , may be used to identify encrypted data pattern 215 .
- FIGS. 2A and 2B shows a one-to-one correspondence between the number of characters in an input sub-pattern and the number of characters in the corresponding encrypted sub-pattern, this is not a requirement. So long as the encryption scheme outputs the same symbol or group of symbols for a given input each time that input occurs, the number of input and corresponding output (encrypted) characters may be different. For example, the above techniques could be used with an encryption algorithm whose codebook causes every occurrence of “ABC” to be encrypted as “12345.” In such a case, the “pattern of repeating sub-patterns” can still be recognized using the same techniques explained above.
- FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer 100 , in accordance with an illustrative embodiment of the invention.
- data acquisition module 145 reads a first sample of a portion of the memory of computer 100 that is associated with a running process 140 .
- data injection module 150 inputs to computer 100 , in a manner mimicking keyboard input, an input data pattern 200 made up of distinct, repeating sub-patterns as explained in connection with FIGS. 2A and 2B .
- data acquisition module 145 reads a second, later sample of the portion of the memory of computer 100 associated with running process 140 .
- analysis module 155 compares the first and second samples read by data acquisition module to identify one or more regions of the second sample that have changed relative to the first sample. If such regions are found at 325 , analysis module 155 analyzes those changed regions of process memory at 330 to determine whether an encrypted data pattern 215 having the same overall structure of sub-patterns—despite the sub-patterns themselves being different—is present. If a matching data pattern is found at 335 , analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 notifies a user of computer 100 that running process 140 is a potential keylogger. At 345 , the process terminates.
- a user-interface function of keylogger detection system 135 can offer a user of computer 100 the option of removing the suspected keylogger from computer 100 .
- keylogger detection system 135 then removes the suspected keylogger from computer 100 .
- removal of a suspected keylogger 135 is performed automatically without the need for user input.
- the present invention provides, among other things, method and system for identifying keyloggers that encrypt data captured on a computer.
- Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use, and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed illustrative forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Input From Keyboards Or The Like (AREA)
- Storage Device Security (AREA)
Abstract
A method and system for detecting a keylogger that encrypts data captured on a computer. One illustrative embodiment acquires a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputs to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquires a second sample of the portion of the memory; compares the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flags the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
Description
- The present application is related to commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference.
- The present invention relates generally to the detection of pestware or malware on computers. In particular, but without limitation, the present invention relates to methods and systems for detecting keyloggers.
- Protecting personal computers from a never-ending onslaught of pestware or malware has become increasingly important and challenging. Some types of pestware or malware can compromise a user's privacy by sending sensitive information about the user or the user's computer to a remote destination without the user's knowledge or permission. Such malware is commonly referred to as “spyware.” One particular type of spyware, a “keylogger,” secretly records a user's keystrokes as the user types on a keyboard and captures the resulting text in a data file, which is often encrypted. The keylogger may also secretly send the captured data file to a remote destination by e-mail or some other communication protocol. Such a keylogger can be used by a remote party to acquire information such as credit card numbers, social security numbers, and other sensitive information.
- Clearly, computer users have a strong motivation to detect and remove unwanted keyloggers from their systems. Many computer users rely on anti-pestware programs to detect and remove such threats. Some anti-pestware programs detect keyloggers by inputting a known, typically repeating, data pattern to the system in a manner that appears to the system to be keyboard input and searching process memory for the known data pattern. This method fails, however, when the keylogger encrypts the data it captures. In that case, the data captured by the keylogger appears to be completely different from the input “decoy” data pattern. Some keyloggers also evade detection by writing their memory buffers to a disk file very shortly after capturing a group of keystrokes and flushing their memory buffers.
- It is thus apparent that there is a need in the art for an improved method and system for detecting keyloggers that encrypt data captured on a computer.
- Illustrative embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents, and alternative constructions that fall within the spirit and scope of the invention as expressed in the claims.
- The present invention can provide a method and system for identifying a keylogger that encrypts data captured on a computer. One illustrative embodiment is a method comprising acquiring a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
- Another illustrative embodiment is a system comprising a data acquisition module configured to acquire first and second samples of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample and to flag the running process as a potential keylogger when the at least one data segment contains a second data pattern that matches the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.
- Various objects and advantages and a more complete understanding of the present invention are apparent and more readily appreciated by reference to the following Detailed Description and to the appended claims when taken in conjunction with the accompanying Drawings, wherein:
-
FIG. 1 is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention; -
FIG. 2A is an illustration of an input data pattern made up of sub-patterns in accordance with an illustrative embodiment of the invention; -
FIG. 2B is an illustration of an encrypted data pattern corresponding to the data pattern shown inFIG. 2A in accordance with an illustrative embodiment of the invention; and -
FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer, in accordance with an illustrative embodiment of the invention. - In one illustrative embodiment of the invention, a keylogger on a computer is detected by inputting to the computer, in a manner mimicking keyboard input, a data pattern that can be recognized in memory despite that data pattern being encrypted and searching the memory for the altered but still-recognizable data pattern. In this embodiment, “memory” can be any computer storage medium, including, without limitation, random access memory (RAM) and non-volatile storage such as a magnetic disk drive.
- The input data pattern can be rendered recognizable in memory despite encryption by structuring it as a “pattern of repeating sub-patterns.” That is, the input data pattern consists of at least one occurrence of each of a set of distinct sub-patterns (e.g., sub-strings). When a keylogger employs an encryption algorithm that produces a consistent output each time a given input occurs, the “pattern of repeating sub-patterns” in the input data pattern can still be recognized within the encrypted data even though the sub-patterns in the input and encrypted data patterns are completely different. When the overall structure of the input data pattern is recognized among the encrypted data, the running process whose memory has been scanned can be flagged as a potential keylogger. Optionally, a user may be notified that the running process has been flagged as a potential keylogger.
- To improve the reliability of keylogger detection, the above process of injecting a structured data pattern and searching changed process memory for a recognizable encrypted data pattern can be performed multiple times for a given running process.
- Referring now to the drawings, where like or similar elements are designated with identical reference numerals throughout the several views, and referring in particular to
FIG. 1 , it is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention.Computer 100 can be a desktop computer, workstation, laptop computer, notebook computer, handheld computer, or any other device that includes computing functionality. InFIG. 1 ,processor 105 communicates overdata bus 110 withinput devices 115,display 120,storage device 125, andmemory 130. -
Input devices 115 may be, for example, a keyboard and a mouse or other pointing device. In an illustrative embodiment,storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however,storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs).Memory 130 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof. - In this illustrative embodiment,
memory 130 containskeylogger detection system 135 and anarbitrary running process 140.Keylogger detection system 135 detects keyloggers oncomputer 100 and, when appropriate, removes them fromcomputer 100. In the illustrative embodiment ofFIG. 1 ,keylogger detection system 135 is an application program stored on a computer-readable storage medium of computer 100 (e.g., storage device 125) that can be loaded intomemory 130 and executed byprocessor 105. In other embodiments, the functionality ofkeylogger detection system 135 can be implemented in software, firmware, hardware, or any combination thereof. - For convenience in this Detailed Description, the functionality of
keylogger detection system 135 has been divided into three functional modules:data acquisition module 145,data injection module 150, andanalysis module 155. In some embodiments,keylogger detection system 135 includes additional user-interface and keylogger-removal modules (not shown inFIG. 1 ) for interacting with a user and removing keyloggers fromcomputer 100, respectively. In various embodiments of the invention, the functionality of these functional modules may be combined or subdivided in a variety of ways. For example, in some embodiments,analysis module 155 may be configured to include user-interface and keylogger-removal functionality. -
Data acquisition module 145 is configured to read a portion of the memory ofcomputer 100 associated with arunning process 140. The memory read may be executable-program and data memory (e.g., a RAM portion of memory 130) associated withrunning process 140 or non-volatile memory associated withrunning process 140 such as a disk file onstorage device 125. -
Data injection module 150 is configured to input tocomputer 100, in a manner that mimics keyboard input, an input data pattern consisting of one or more occurrences of each of a set of distinct sub-patterns. In this illustrative embodiment,data injection module 150 injects the input data pattern at a time between the acquisition of two separate samples of the memory associated with runningprocess 140 bydata acquisition module 145. The staggered-time process memory samples allowanalysis module 155 to look for regions of change in the memory associated with aparticular running process 140, narrowing the search for a recognizable data pattern among the encrypted data captured by a keylogger. - In one embodiment,
data injection module 150 mimics keyboard input by generating the input data pattern using a driver-level process associated withkeylogger detection system 135 and sending the input data pattern to a hidden window (e.g., a one-pixel window) oncomputer 100. Techniques for employing such a driver and hidden window in the detection of keyloggers are explained more fully in commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference. -
Analysis module 155 is configured to examine samples of memory associated with a givenrunning process 140 that have been acquired bydata acquisition module 145 to determine whether a later sample has changed relative to an earlier sample. Once one or more such regions of changed process memory have been identified,analysis module 155 examines those regions for an encrypted data pattern having the same structure (“pattern of repeating sub-patterns”) as the input data pattern. If such an encrypted data pattern is found,analysis module 155flags running process 140 as a potential keylogger. Optionally,analysis module 155 also alerts a user that runningprocess 140 is a potential keylogger. In other embodiments,keylogger detection system 135 may offer the user the option of removing the suspected keylogger fromcomputer 100. -
FIG. 2A is an illustration of an input data pattern made up of sub-patterns in. accordance with an illustrative embodiment of the invention.Input data pattern 200 may be American Standard Code for Information Interchange (ASCII) text, binary data, or data represented in some other format. In this simplified example,input data pattern 200 consists of two repeating sub-patterns, sub-pattern 205 (“ABC”) and sub-pattern 210 (“DEFG”). For clarity, spaces have been added between occurrences ofsub-pattern 205 and sub-pattern 210 inFIG. 2A . -
FIG. 2B is an illustration of an encrypted data pattern corresponding to inputdata pattern 200 shown inFIG. 2A in accordance with an illustrative embodiment of the invention. In this example, a keylogger has used a block cipher to produceencrypted data pattern 215, which consists of two repeating sub-patterns, sub-pattern 220 (“123”) and sub-pattern 225 (“4567”). For clarity, spaces have been added betweensub-patterns FIG. 2B . - For simplicity, only two distinct sub-patterns are shown in
FIGS. 2A and 2B . In other embodiments, more than two distinct sub-patterns are used, andinput data pattern 200 is larger than the simplified example shown inFIG. 2A . -
Analysis module 155 can recognize the correspondence betweeninput data pattern 200 andencrypted data pattern 215 by identifying the repeating sub-patterns 220 and 225 in the memory associated with a running process 140 (a keylogger) and verifying that those repeatingsub-patterns input data pattern 200 andencrypted data pattern 215 to have the same overall structure (“pattern of repeating sub-patterns”). One condition is that each sub-pattern inencrypted data pattern 215 occur the same number of times inencrypted data pattern 215 as a unique corresponding sub-pattern ininput data pattern 200 occurs ininput data pattern 200. Another condition is that the sub-patterns inencrypted data pattern 215 occur in the same order as the corresponding unique sub-patterns occur ininput data pattern 200. - In the example of
FIGS. 2A and 2B , sub-pattern 205 ininput data pattern 200 and sub-pattern 220 inencrypted data pattern 215 both occur four times in their respective data patterns. Likewise, sub-pattern 210 ininput data pattern 200 and sub-pattern 225 inencrypted data pattern 215 both occur twice. Therefore, the first condition above is satisfied. Further, the corresponding sub-patterns that occur with the same frequency in the respective data patterns also appear in the same order in both data patterns. Thus, bothinput data pattern 200 andencrypted data pattern 215 have the same overall structure or “pattern of repeating sub-patterns”: “S1 S1 S2 S2 S1 S1, ” where S1 and S2 are distinct sub-patterns. That the sub-patterns are completely different in the two data patterns does not matter becauseencrypted data pattern 215 can still be recognized, based on its structure of repeating sub-patterns, as being derived frominput data pattern 200. - The techniques described in connection with
FIGS. 2A and 2B are suitable for any keylogger employing a block cipher for encryption. One common type of block cipher is electronic-codebook (ECB) encryption. More complex types of encryption such as a chain-block cipher, which encodes a given input differently from occurrence to occurrence, are not frequently used by keyloggers. Those skilled in the art will recognize that any suitable pattern-recognition techniques, including techniques different from those discussed in connection withFIGS. 2A and 2B , may be used to identifyencrypted data pattern 215. - Those skilled in the art will recognize that even though the example of
FIGS. 2A and 2B shows a one-to-one correspondence between the number of characters in an input sub-pattern and the number of characters in the corresponding encrypted sub-pattern, this is not a requirement. So long as the encryption scheme outputs the same symbol or group of symbols for a given input each time that input occurs, the number of input and corresponding output (encrypted) characters may be different. For example, the above techniques could be used with an encryption algorithm whose codebook causes every occurrence of “ABC” to be encrypted as “12345.” In such a case, the “pattern of repeating sub-patterns” can still be recognized using the same techniques explained above. -
FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on acomputer 100, in accordance with an illustrative embodiment of the invention. At 305,data acquisition module 145 reads a first sample of a portion of the memory ofcomputer 100 that is associated with arunning process 140. At 310,data injection module 150 inputs tocomputer 100, in a manner mimicking keyboard input, aninput data pattern 200 made up of distinct, repeating sub-patterns as explained in connection withFIGS. 2A and 2B . At 315,data acquisition module 145 reads a second, later sample of the portion of the memory ofcomputer 100 associated with runningprocess 140. At 320,analysis module 155 compares the first and second samples read by data acquisition module to identify one or more regions of the second sample that have changed relative to the first sample. If such regions are found at 325,analysis module 155 analyzes those changed regions of process memory at 330 to determine whether anencrypted data pattern 215 having the same overall structure of sub-patterns—despite the sub-patterns themselves being different—is present. If a matching data pattern is found at 335,analysis module 155flags running process 140 as a potential keylogger. Optionally,analysis module 155 notifies a user ofcomputer 100 that runningprocess 140 is a potential keylogger. At 345, the process terminates. - Many variations of the method diagramed in
FIG. 3 are possible. For example, all of the actions shown inFIG. 3 can be repeated multiple times for a givenrunning process 140 to increase the reliability ofkeylogger detection system 135. Also, if no changed process-memory data is found at 325, the process can return toBlock 305 for another attempt. Onceanalysis module 155 has identified a potential keylogger, a user-interface function ofkeylogger detection system 135 can offer a user ofcomputer 100 the option of removing the suspected keylogger fromcomputer 100. In response to input from the user,keylogger detection system 135 then removes the suspected keylogger fromcomputer 100. In other embodiments, removal of a suspectedkeylogger 135 is performed automatically without the need for user input. - In conclusion, the present invention provides, among other things, method and system for identifying keyloggers that encrypt data captured on a computer. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use, and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed illustrative forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims.
Claims (17)
1. A method for detecting a keylogger that encrypts data captured on a computer, the method comprising:
acquiring a first sample of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns;
acquiring a second sample of the portion of the memory;
comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flagging the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
2. The method of claim 1 , wherein the method is performed a plurality of times for a particular running process.
3. The method of claim 1 , further comprising:
notifying a user that the running process is a potential keylogger when the running process has been flagged as a potential keylogger.
4. The method of claim 1 , further comprising:
automatically removing the running process from the computer when the running process has been flagged as a potential keylogger.
5. The method of claim 1 , further comprising:
removing the running process from the computer in response to user input when the running process has been flagged as a potential keylogger.
6. The method of claim 1 , wherein the memory is random-access memory.
7. The method of claim 1 , wherein the memory is a non-volatile memory.
8. The method of claim 1 , wherein the first and second sets of distinct sub-patterns are disjoint.
9. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising:
a data acquisition module configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and
an analysis module configured to:
compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flag the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
10. The system of claim 9 , wherein the analysis module is further configured to notify a user that the running process is a potential keylogger when the analysis module has flagged the running process as a potential a keylogger.
11. The system of claim 9 , wherein the analysis module is further configured to remove the running process from the computer automatically when the analysis module has flagged the running process as a potential keylogger.
12. The system of claim 9 , wherein the analysis module is further configured to remove the running process from the computer in response to user input when the analysis module has flagged the running process as a potential keylogger.
13. The system of claim 9 , wherein the memory is random access memory.
14. The system of claim 9 , wherein the memory is a non-volatile memory.
15. The system of claim 9 , wherein the first and second sets of distinct sub-patterns are disjoint.
16. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising:
means for acquiring first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
means for inputting to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns;
means for comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
means for flagging the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
17. A computer-readable storage medium containing program instructions executable by a processor to detect a keylogger that encrypts data captured on a computer, the program instructions comprising:
a first instruction segment configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer;
a second instruction segment configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and
a third instruction segment configured to:
compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and
flag the running process as a potential keylogger when:
the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns,
each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and
the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/492,581 US20070169191A1 (en) | 2006-01-18 | 2006-07-25 | Method and system for detecting a keylogger that encrypts data captured on a computer |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/334,318 US7721333B2 (en) | 2006-01-18 | 2006-01-18 | Method and system for detecting a keylogger on a computer |
US11/492,581 US20070169191A1 (en) | 2006-01-18 | 2006-07-25 | Method and system for detecting a keylogger that encrypts data captured on a computer |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/334,318 Continuation US7721333B2 (en) | 2006-01-18 | 2006-01-18 | Method and system for detecting a keylogger on a computer |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070169191A1 true US20070169191A1 (en) | 2007-07-19 |
Family
ID=38264948
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/334,318 Active 2029-03-20 US7721333B2 (en) | 2006-01-18 | 2006-01-18 | Method and system for detecting a keylogger on a computer |
US11/492,581 Abandoned US20070169191A1 (en) | 2006-01-18 | 2006-07-25 | Method and system for detecting a keylogger that encrypts data captured on a computer |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/334,318 Active 2029-03-20 US7721333B2 (en) | 2006-01-18 | 2006-01-18 | Method and system for detecting a keylogger on a computer |
Country Status (3)
Country | Link |
---|---|
US (2) | US7721333B2 (en) |
EP (1) | EP1989628A2 (en) |
WO (1) | WO2007106609A2 (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060277182A1 (en) * | 2005-06-06 | 2006-12-07 | Tony Nichols | System and method for analyzing locked files |
US20080216174A1 (en) * | 2007-03-02 | 2008-09-04 | 403 Labs, Llc | Sensitive Data Scanner |
US20090007256A1 (en) * | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Using a trusted entity to drive security decisions |
US20090241196A1 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
WO2009117445A3 (en) * | 2008-03-19 | 2009-11-12 | Websense, Inc. | Method and system for protection against information stealing software |
WO2010041257A1 (en) * | 2008-10-10 | 2010-04-15 | Safend Ltd. | System and method for incapacitating a hardware keylogger |
US20110072262A1 (en) * | 2009-09-23 | 2011-03-24 | Idan Amir | System and Method for Identifying Security Breach Attempts of a Website |
US8381296B2 (en) | 2006-07-07 | 2013-02-19 | Webroot Inc. | Method and system for detecting and removing hidden pestware files |
US8707437B1 (en) * | 2011-04-18 | 2014-04-22 | Trend Micro Incorporated | Techniques for detecting keyloggers in computer systems |
WO2014185770A1 (en) * | 2013-05-17 | 2014-11-20 | Mimos Berhad | Method and system for detecting keylogger |
US9245118B2 (en) | 2012-07-18 | 2016-01-26 | Infosys Limited | Methods for identifying key logging activities with a portable device and devices thereof |
US9262639B2 (en) | 2013-01-09 | 2016-02-16 | Cisco Technology Inc. | Plaintext injection attack protection |
US9455981B2 (en) | 2008-03-19 | 2016-09-27 | Forcepoint, LLC | Method and system for protection against information stealing software |
US9679141B2 (en) * | 2015-03-31 | 2017-06-13 | Juniper Networks, Inc. | Detecting keylogging |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US10791119B1 (en) | 2017-03-14 | 2020-09-29 | F5 Networks, Inc. | Methods for temporal password injection and devices thereof |
US10931662B1 (en) | 2017-04-10 | 2021-02-23 | F5 Networks, Inc. | Methods for ephemeral authentication screening and devices thereof |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US11496438B1 (en) | 2017-02-07 | 2022-11-08 | F5, Inc. | Methods for improved network security using asymmetric traffic delivery and devices thereof |
US11658995B1 (en) | 2018-03-20 | 2023-05-23 | F5, Inc. | Methods for dynamically mitigating network attacks and devices thereof |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100734145B1 (en) * | 2005-10-12 | 2007-07-03 | 주식회사 안철수연구소 | Method of protecting hacking of a key input by using authorization of keyboard data |
WO2008097780A2 (en) | 2007-02-02 | 2008-08-14 | Websense, Inc. | System and method for adding context to prevent data leakage over a computer network |
US20080263672A1 (en) * | 2007-04-18 | 2008-10-23 | Hewlett-Packard Development Company L.P. | Protecting sensitive data intended for a remote application |
US8407784B2 (en) | 2008-03-19 | 2013-03-26 | Websense, Inc. | Method and system for protection against information stealing software |
US20100058479A1 (en) * | 2008-09-03 | 2010-03-04 | Alcatel-Lucent | Method and system for combating malware with keystroke logging functionality |
US8438386B2 (en) * | 2009-04-21 | 2013-05-07 | Webroot Inc. | System and method for developing a risk profile for an internet service |
US9130972B2 (en) | 2009-05-26 | 2015-09-08 | Websense, Inc. | Systems and methods for efficient detection of fingerprinted data and information |
US8015284B1 (en) * | 2009-07-28 | 2011-09-06 | Symantec Corporation | Discerning use of signatures by third party vendors |
WO2011119137A1 (en) | 2010-03-22 | 2011-09-29 | Lrdc Systems, Llc | A method of identifying and protecting the integrity of a set of source data |
US8914879B2 (en) * | 2010-06-11 | 2014-12-16 | Trustwave Holdings, Inc. | System and method for improving coverage for web code |
US9241259B2 (en) | 2012-11-30 | 2016-01-19 | Websense, Inc. | Method and apparatus for managing the transfer of sensitive information to mobile devices |
IN2013CH05877A (en) * | 2013-12-17 | 2015-06-19 | Infosys Ltd | |
US10262134B2 (en) | 2016-10-07 | 2019-04-16 | International Business Machines Corporation | Detection of key logging activity |
US11366903B1 (en) * | 2019-12-20 | 2022-06-21 | NortonLifeLock Inc. | Systems and methods to mitigate stalkerware by rendering it useless |
Citations (41)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
US5920696A (en) * | 1997-02-25 | 1999-07-06 | International Business Machines Corporation | Dynamic windowing system in a transaction base network for a client to request transactions of transient programs at a server |
US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
US6073241A (en) * | 1996-08-29 | 2000-06-06 | C/Net, Inc. | Apparatus and method for tracking world wide web browser requests across distinct domains using persistent client-side state |
US6092194A (en) * | 1996-11-08 | 2000-07-18 | Finjan Software, Ltd. | System and method for protecting a computer and a network from hostile downloadables |
US6154844A (en) * | 1996-11-08 | 2000-11-28 | Finjan Software, Ltd. | System and method for attaching a downloadable security profile to a downloadable |
US6310630B1 (en) * | 1997-12-12 | 2001-10-30 | International Business Machines Corporation | Data processing system and method for internet browser history generation |
US6397264B1 (en) * | 1999-11-01 | 2002-05-28 | Rstar Corporation | Multi-browser client architecture for managing multiple applications having a history list |
US6405316B1 (en) * | 1997-01-29 | 2002-06-11 | Network Commerce, Inc. | Method and system for injecting new code into existing application code |
US6442607B1 (en) * | 1998-08-06 | 2002-08-27 | Intel Corporation | Controlling data transmissions from a computer |
US6460060B1 (en) * | 1999-01-26 | 2002-10-01 | International Business Machines Corporation | Method and system for searching web browser history |
US20020162015A1 (en) * | 2001-04-29 | 2002-10-31 | Zhaomiao Tang | Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor |
US20020166063A1 (en) * | 2001-03-01 | 2002-11-07 | Cyber Operations, Llc | System and method for anti-network terrorism |
US6535931B1 (en) * | 1999-12-13 | 2003-03-18 | International Business Machines Corp. | Extended keyboard support in a run time environment for keys not recognizable on standard or non-standard keyboards |
US20030065943A1 (en) * | 2001-09-28 | 2003-04-03 | Christoph Geis | Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network |
US20030074581A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Neil John | Updating malware definition data for mobile data processing devices |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
US20030159070A1 (en) * | 2001-05-28 | 2003-08-21 | Yaron Mayer | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages |
US6611878B2 (en) * | 1996-11-08 | 2003-08-26 | International Business Machines Corporation | Method and apparatus for software technology injection for operating systems which assign separate process address spaces |
US6633835B1 (en) * | 2002-01-10 | 2003-10-14 | Networks Associates Technology, Inc. | Prioritized data capture, classification and filtering in a network monitoring environment |
US20030217287A1 (en) * | 2002-05-16 | 2003-11-20 | Ilya Kruglenko | Secure desktop environment for unsophisticated computer users |
US6667751B1 (en) * | 2000-07-13 | 2003-12-23 | International Business Machines Corporation | Linear web browser history viewer |
US20040030914A1 (en) * | 2002-08-09 | 2004-02-12 | Kelley Edward Emile | Password protection |
US20040034794A1 (en) * | 2000-05-28 | 2004-02-19 | Yaron Mayer | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages |
US6701441B1 (en) * | 1998-12-08 | 2004-03-02 | Networks Associates Technology, Inc. | System and method for interactive web services |
US20040064736A1 (en) * | 2002-08-30 | 2004-04-01 | Wholesecurity, Inc. | Method and apparatus for detecting malicious code in an information handling system |
US20040080529A1 (en) * | 2002-10-24 | 2004-04-29 | Wojcik Paul Kazimierz | Method and system for securing text-entry in a web form over a computer network |
US20040143763A1 (en) * | 1999-02-03 | 2004-07-22 | Radatti Peter V. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer in instant messaging and peer-to-peer applications |
US6772345B1 (en) * | 2002-02-08 | 2004-08-03 | Networks Associates Technology, Inc. | Protocol-level malware scanner |
US6785732B1 (en) * | 2000-09-11 | 2004-08-31 | International Business Machines Corporation | Web server apparatus and method for virus checking |
US20040187023A1 (en) * | 2002-08-30 | 2004-09-23 | Wholesecurity, Inc. | Method, system and computer program product for security in a global computer network transaction |
US6813711B1 (en) * | 1999-01-05 | 2004-11-02 | Samsung Electronics Co., Ltd. | Downloading files from approved web site |
US20040225877A1 (en) * | 2003-05-09 | 2004-11-11 | Zezhen Huang | Method and system for protecting computer system from malicious software operation |
US6829654B1 (en) * | 2000-06-23 | 2004-12-07 | Cloudshield Technologies, Inc. | Apparatus and method for virtual edge placement of web sites |
US20050038697A1 (en) * | 2003-06-30 | 2005-02-17 | Aaron Jeffrey A. | Automatically facilitated marketing and provision of electronic services |
US6910134B1 (en) * | 2000-08-29 | 2005-06-21 | Netrake Corporation | Method and device for innoculating email infected with a virus |
US20050138433A1 (en) * | 2003-12-23 | 2005-06-23 | Zone Labs, Inc. | Security System with Methodology for Defending Against Security Breaches of Peripheral Devices |
US20050154885A1 (en) * | 2000-05-15 | 2005-07-14 | Interfuse Technology, Inc. | Electronic data security system and method |
US6965968B1 (en) * | 2003-02-27 | 2005-11-15 | Finjan Software Ltd. | Policy-based caching |
US7058822B2 (en) * | 2000-03-30 | 2006-06-06 | Finjan Software, Ltd. | Malicious mobile code runtime monitoring system and methods |
US7107617B2 (en) * | 2001-10-15 | 2006-09-12 | Mcafee, Inc. | Malware scanning of compressed computer files |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5721850A (en) | 1993-01-15 | 1998-02-24 | Quotron Systems, Inc. | Method and means for navigating user interfaces which support a plurality of executing applications |
US5596714A (en) * | 1994-07-11 | 1997-01-21 | Pure Atria Corporation | Method for simultaneously testing multiple graphic user interface programs |
US7328457B1 (en) * | 1999-06-30 | 2008-02-05 | Entrust Limited | Method and apparatus for preventing interception of input data to a software application |
US6782527B1 (en) * | 2000-01-28 | 2004-08-24 | Networks Associates, Inc. | System and method for efficient distribution of application services to a plurality of computing appliances organized as subnets |
US7007025B1 (en) * | 2001-06-08 | 2006-02-28 | Xsides Corporation | Method and system for maintaining secure data input and output |
US20030115479A1 (en) | 2001-12-14 | 2003-06-19 | Jonathan Edwards | Method and system for detecting computer malwares by scan of process memory after process initialization |
US20050273858A1 (en) * | 2004-06-07 | 2005-12-08 | Erez Zadok | Stackable file systems and methods thereof |
US7636943B2 (en) * | 2005-06-13 | 2009-12-22 | Aladdin Knowledge Systems Ltd. | Method and system for detecting blocking and removing spyware |
US8546579B2 (en) | 2006-03-16 | 2013-10-01 | Evotec (Us) Inc. | Bicycloheteroaryl compounds as P2X7 modulators and uses thereof |
US20070261117A1 (en) | 2006-04-20 | 2007-11-08 | Boney Matthew L | Method and system for detecting a compressed pestware executable object |
-
2006
- 2006-01-18 US US11/334,318 patent/US7721333B2/en active Active
- 2006-07-25 US US11/492,581 patent/US20070169191A1/en not_active Abandoned
-
2007
- 2007-01-18 WO PCT/US2007/060700 patent/WO2007106609A2/en active Application Filing
- 2007-01-18 EP EP07756377A patent/EP1989628A2/en not_active Withdrawn
Patent Citations (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5623600A (en) * | 1995-09-26 | 1997-04-22 | Trend Micro, Incorporated | Virus detection and removal apparatus for computer networks |
US6073241A (en) * | 1996-08-29 | 2000-06-06 | C/Net, Inc. | Apparatus and method for tracking world wide web browser requests across distinct domains using persistent client-side state |
US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
US6167520A (en) * | 1996-11-08 | 2000-12-26 | Finjan Software, Inc. | System and method for protecting a client during runtime from hostile downloadables |
US6092194A (en) * | 1996-11-08 | 2000-07-18 | Finjan Software, Ltd. | System and method for protecting a computer and a network from hostile downloadables |
US6154844A (en) * | 1996-11-08 | 2000-11-28 | Finjan Software, Ltd. | System and method for attaching a downloadable security profile to a downloadable |
US6611878B2 (en) * | 1996-11-08 | 2003-08-26 | International Business Machines Corporation | Method and apparatus for software technology injection for operating systems which assign separate process address spaces |
US6804780B1 (en) * | 1996-11-08 | 2004-10-12 | Finjan Software, Ltd. | System and method for protecting a computer and a network from hostile downloadables |
US6480962B1 (en) * | 1996-11-08 | 2002-11-12 | Finjan Software, Ltd. | System and method for protecting a client during runtime from hostile downloadables |
US6405316B1 (en) * | 1997-01-29 | 2002-06-11 | Network Commerce, Inc. | Method and system for injecting new code into existing application code |
US5920696A (en) * | 1997-02-25 | 1999-07-06 | International Business Machines Corporation | Dynamic windowing system in a transaction base network for a client to request transactions of transient programs at a server |
US6310630B1 (en) * | 1997-12-12 | 2001-10-30 | International Business Machines Corporation | Data processing system and method for internet browser history generation |
US6442607B1 (en) * | 1998-08-06 | 2002-08-27 | Intel Corporation | Controlling data transmissions from a computer |
US6701441B1 (en) * | 1998-12-08 | 2004-03-02 | Networks Associates Technology, Inc. | System and method for interactive web services |
US6813711B1 (en) * | 1999-01-05 | 2004-11-02 | Samsung Electronics Co., Ltd. | Downloading files from approved web site |
US6460060B1 (en) * | 1999-01-26 | 2002-10-01 | International Business Machines Corporation | Method and system for searching web browser history |
US20040143763A1 (en) * | 1999-02-03 | 2004-07-22 | Radatti Peter V. | Apparatus and methods for intercepting, examining and controlling code, data and files and their transfer in instant messaging and peer-to-peer applications |
US6397264B1 (en) * | 1999-11-01 | 2002-05-28 | Rstar Corporation | Multi-browser client architecture for managing multiple applications having a history list |
US6535931B1 (en) * | 1999-12-13 | 2003-03-18 | International Business Machines Corp. | Extended keyboard support in a run time environment for keys not recognizable on standard or non-standard keyboards |
US7058822B2 (en) * | 2000-03-30 | 2006-06-06 | Finjan Software, Ltd. | Malicious mobile code runtime monitoring system and methods |
US20050154885A1 (en) * | 2000-05-15 | 2005-07-14 | Interfuse Technology, Inc. | Electronic data security system and method |
US20040034794A1 (en) * | 2000-05-28 | 2004-02-19 | Yaron Mayer | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages |
US6829654B1 (en) * | 2000-06-23 | 2004-12-07 | Cloudshield Technologies, Inc. | Apparatus and method for virtual edge placement of web sites |
US6667751B1 (en) * | 2000-07-13 | 2003-12-23 | International Business Machines Corporation | Linear web browser history viewer |
US6910134B1 (en) * | 2000-08-29 | 2005-06-21 | Netrake Corporation | Method and device for innoculating email infected with a virus |
US6785732B1 (en) * | 2000-09-11 | 2004-08-31 | International Business Machines Corporation | Web server apparatus and method for virus checking |
US20020166063A1 (en) * | 2001-03-01 | 2002-11-07 | Cyber Operations, Llc | System and method for anti-network terrorism |
US20020162015A1 (en) * | 2001-04-29 | 2002-10-31 | Zhaomiao Tang | Method and system for scanning and cleaning known and unknown computer viruses, recording medium and transmission medium therefor |
US20030159070A1 (en) * | 2001-05-28 | 2003-08-21 | Yaron Mayer | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages |
US20030065943A1 (en) * | 2001-09-28 | 2003-04-03 | Christoph Geis | Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network |
US20030074581A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Neil John | Updating malware definition data for mobile data processing devices |
US7107617B2 (en) * | 2001-10-15 | 2006-09-12 | Mcafee, Inc. | Malware scanning of compressed computer files |
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
US6633835B1 (en) * | 2002-01-10 | 2003-10-14 | Networks Associates Technology, Inc. | Prioritized data capture, classification and filtering in a network monitoring environment |
US6772345B1 (en) * | 2002-02-08 | 2004-08-03 | Networks Associates Technology, Inc. | Protocol-level malware scanner |
US20030217287A1 (en) * | 2002-05-16 | 2003-11-20 | Ilya Kruglenko | Secure desktop environment for unsophisticated computer users |
US20040030914A1 (en) * | 2002-08-09 | 2004-02-12 | Kelley Edward Emile | Password protection |
US20040187023A1 (en) * | 2002-08-30 | 2004-09-23 | Wholesecurity, Inc. | Method, system and computer program product for security in a global computer network transaction |
US20040064736A1 (en) * | 2002-08-30 | 2004-04-01 | Wholesecurity, Inc. | Method and apparatus for detecting malicious code in an information handling system |
US20040080529A1 (en) * | 2002-10-24 | 2004-04-29 | Wojcik Paul Kazimierz | Method and system for securing text-entry in a web form over a computer network |
US6965968B1 (en) * | 2003-02-27 | 2005-11-15 | Finjan Software Ltd. | Policy-based caching |
US20040225877A1 (en) * | 2003-05-09 | 2004-11-11 | Zezhen Huang | Method and system for protecting computer system from malicious software operation |
US20050038697A1 (en) * | 2003-06-30 | 2005-02-17 | Aaron Jeffrey A. | Automatically facilitated marketing and provision of electronic services |
US20050138433A1 (en) * | 2003-12-23 | 2005-06-23 | Zone Labs, Inc. | Security System with Methodology for Defending Against Security Breaches of Peripheral Devices |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060277182A1 (en) * | 2005-06-06 | 2006-12-07 | Tony Nichols | System and method for analyzing locked files |
US8452744B2 (en) * | 2005-06-06 | 2013-05-28 | Webroot Inc. | System and method for analyzing locked files |
US8381296B2 (en) | 2006-07-07 | 2013-02-19 | Webroot Inc. | Method and system for detecting and removing hidden pestware files |
US8387147B2 (en) | 2006-07-07 | 2013-02-26 | Webroot Inc. | Method and system for detecting and removing hidden pestware files |
US9754102B2 (en) | 2006-08-07 | 2017-09-05 | Webroot Inc. | Malware management through kernel detection during a boot sequence |
US20080216174A1 (en) * | 2007-03-02 | 2008-09-04 | 403 Labs, Llc | Sensitive Data Scanner |
US8635691B2 (en) * | 2007-03-02 | 2014-01-21 | 403 Labs, Llc | Sensitive data scanner |
US20090007256A1 (en) * | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Using a trusted entity to drive security decisions |
US9015842B2 (en) | 2008-03-19 | 2015-04-21 | Websense, Inc. | Method and system for protection against information stealing software |
US9495539B2 (en) | 2008-03-19 | 2016-11-15 | Websense, Llc | Method and system for protection against information stealing software |
US20090241196A1 (en) * | 2008-03-19 | 2009-09-24 | Websense, Inc. | Method and system for protection against information stealing software |
US9455981B2 (en) | 2008-03-19 | 2016-09-27 | Forcepoint, LLC | Method and system for protection against information stealing software |
WO2009117445A3 (en) * | 2008-03-19 | 2009-11-12 | Websense, Inc. | Method and system for protection against information stealing software |
US9032536B2 (en) * | 2008-10-10 | 2015-05-12 | Safend Ltd. | System and method for incapacitating a hardware keylogger |
WO2010041257A1 (en) * | 2008-10-10 | 2010-04-15 | Safend Ltd. | System and method for incapacitating a hardware keylogger |
US20110219457A1 (en) * | 2008-10-10 | 2011-09-08 | Ido Keshet | System and method for incapacitating a hardware keylogger |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US20110072262A1 (en) * | 2009-09-23 | 2011-03-24 | Idan Amir | System and Method for Identifying Security Breach Attempts of a Website |
US10157280B2 (en) * | 2009-09-23 | 2018-12-18 | F5 Networks, Inc. | System and method for identifying security breach attempts of a website |
US8707437B1 (en) * | 2011-04-18 | 2014-04-22 | Trend Micro Incorporated | Techniques for detecting keyloggers in computer systems |
US9245118B2 (en) | 2012-07-18 | 2016-01-26 | Infosys Limited | Methods for identifying key logging activities with a portable device and devices thereof |
US9262639B2 (en) | 2013-01-09 | 2016-02-16 | Cisco Technology Inc. | Plaintext injection attack protection |
WO2014185770A1 (en) * | 2013-05-17 | 2014-11-20 | Mimos Berhad | Method and system for detecting keylogger |
US10089468B2 (en) | 2015-03-31 | 2018-10-02 | Juniper Networks, Inc. | Detecting keylogging |
US9679141B2 (en) * | 2015-03-31 | 2017-06-13 | Juniper Networks, Inc. | Detecting keylogging |
US11496438B1 (en) | 2017-02-07 | 2022-11-08 | F5, Inc. | Methods for improved network security using asymmetric traffic delivery and devices thereof |
US10791119B1 (en) | 2017-03-14 | 2020-09-29 | F5 Networks, Inc. | Methods for temporal password injection and devices thereof |
US10931662B1 (en) | 2017-04-10 | 2021-02-23 | F5 Networks, Inc. | Methods for ephemeral authentication screening and devices thereof |
US11658995B1 (en) | 2018-03-20 | 2023-05-23 | F5, Inc. | Methods for dynamically mitigating network attacks and devices thereof |
Also Published As
Publication number | Publication date |
---|---|
US20070180520A1 (en) | 2007-08-02 |
US7721333B2 (en) | 2010-05-18 |
WO2007106609A3 (en) | 2009-04-16 |
EP1989628A2 (en) | 2008-11-12 |
WO2007106609A2 (en) | 2007-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20070169191A1 (en) | Method and system for detecting a keylogger that encrypts data captured on a computer | |
Gopinath et al. | A comprehensive survey on deep learning based malware detection techniques | |
Cheng et al. | Enterprise data breach: causes, challenges, prevention, and future directions | |
Maiorca et al. | A pattern recognition system for malicious pdf files detection | |
Cohen et al. | SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods | |
Sung et al. | Static analyzer of vicious executables (save) | |
US9317701B2 (en) | Security methods and systems | |
Shankarapani et al. | Malware detection using assembly and API call sequences | |
Sathyanarayan et al. | Signature generation and detection of malware families | |
Stolfo et al. | Towards stealthy malware detection | |
US8127360B1 (en) | Method and apparatus for detecting leakage of sensitive information | |
Maiorca et al. | Digital investigation of pdf files: Unveiling traces of embedded malware | |
Sagiroglu et al. | Keyloggers: Increasing threats to computer security and privacy | |
Ahmed et al. | Automated analysis approach for the detection of high survivable ransomware | |
Stolfo et al. | Fileprint analysis for malware detection | |
Kwon et al. | Bingraph: Discovering mutant malware using hierarchical semantic signatures | |
US20210165904A1 (en) | Data loss prevention | |
Tyagi et al. | Malware Detection in PE files using Machine Learning | |
Baballe et al. | Management of Vulnerabilities in Cyber Security | |
Tuscano et al. | Types of keyloggers technologies–survey | |
RU2770570C2 (en) | System and method for determining process associated with malware encrypting computer system files | |
Thomas | Machine Learning Applications for Cybersecurity | |
Balakrishnan et al. | An analysis on Keylogger Attack and Detection based on Machine Learning | |
Ferdous et al. | Malware resistant data protection in hyper-connected networks: A survey | |
Bayoglu et al. | Polymorphic worm detection using token-pair signatures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: WEBROOT SOFTWARE, INC., COLORADO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GREENE, MICHAEL P.;PARKER, MATT;REEL/FRAME:018675/0609;SIGNING DATES FROM 20061206 TO 20061219 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |