Benchmarking Keyloggers for Gathering Digital Evidence on Personal Computers

Keyloggers refers to the hardware or software programs, which examine keyboard and mouse activity on a computer in a secretive manner so that the owner of the computer is not aware that their actions are monitored. The keyloggers accumulate the recorded keystrokes for later recovery or remotely convey it to the person employing them. Keyloggers aimed to serve as spyware and currently serve the same purpose. However, keyloggers have the potential of serving as a detective tool to gather digital evidence (Actual Spy, 2009). Similar to a phone recording mechanism at a call center, the keylogger secretly monitors and records all keystrokes typed in emails, word files, and activities in a chat room, instant messages, web addresses and web searching. Keyloggers have existed for many years and it is believed that the United States of America (USA) government in the early 1990 was the first to develop those programs (Symantec, 2005).

Essentially there are two various types of keyloggers (hardware and software), each with their own exceptional elements (Wood and Raj, 2010). Software keyloggers have some elements that capture user information without depending on keyboard presses as the central input. Some of these aspects include Clipboard logging, screen logging and programmatically capturing the text in control. Hardware keyloggers exist at the hardware stage in a computer system and can be complicated to notice using software and spyware scanners. Hardware keyloggers store the monitored information in their own in-house memory chip. Additionally, software keyloggers store all the monitored keystrokes on the PC’s hard drive on which they install. There are several different types of keyloggers available in the market today. Keyloggers make it easy to interrupt information prioror as soon as it enters the computer system as some keystrokes immediately hide or encrypt, such as emails and windows login passwords.

According to Jonathan (2008), choosing the right keylogger to monitor information on PCs without a chance for detection is a complicated task. Companies have to decide on the standard of security that they will need during the recording process. Key questions include; what is the sensitivity of the monitored information? Is the PC monitored when connected to the internet? Will multiple users be using the PC risk monitored? Is the interest in both outgoing and incoming information? Do you need a screen capture capability? Do you need a complete secrecy during the monitoring activity? What is the standard of IT proficiency of the targeted PC? (Jonathan, 2008).

Cyber crime is any crime that includes a computer and a network, where the computers may or may not have played an importantly ingredient in the success of the crime, (Moore, 2005). With the high rates in computer crimes and complications in collecting evidence various Information security control precautions are in place to avoid Information systems. Various authors state that Cyber crime is increasing in both volume and complexity due to the growth in computer technologies making detection of the offenders very complicated (Bakibinga, 2009).

Computer forensics is currently in place to fight computer crimes. Computer forensics deals with gathering digital evidence from computers, networks and others digital devices. Forensics associates with the capture, evaluation and design of system activities in order to establish a compromised PC in case of an attack (Ilkyeun and Tae-Kyou, 2009). In order to fight computer crime, it is possible to locate criminal from within the computer and the available network. This evidence needs security in an appropriate manner using forensic enquiry so that the courts of law can use it as evidence of criminal behavior and violation of the law.

Digital evidence can be any data stored or conveyed in digital outline that the court may use during a criminal trial. Digital evidence, by its nature, is delicate and can be changed, broken by inappropriate handling or examination (Ashcroft et al., 2004). For these reasons, there is a need for special precautions to safeguard this type of evidence. Failure to do so may turn into unusable or lead to an imprecise finale. This project’s primary objective is to benchmark keyloggers and establish an application, which can help in detecting keyloggers, which may offer importance to collect digital evidence on PCs. The project will offer a solution to the complication in collecting digital evidence on PCs with keyloggers. With the high price of computer forensic tools, this project will offer an important opportunity for small to medium enterprises to observe their PC activities thus reducing computer crimes.

1.2 Statement of the Problem

Although computers have become a need in our daily livelihoods, the use of computers for the wrong intentions has given rise to the field of IT security and computer forensics. Keyloggers at times are essential for covert monitoring on personal computers. However, their use has been criticized on privacy matters and because they can be used to breach trust of a system. More so, keyloggers have the ability to access forbidden authorization to a computer; therefore, making the use of key loggers in collecting digital evidence hard.

Keyloggers can acquire a lot of information when installed on personal computers but not all this information arises to digital evidence. Despite this chance, very few organizations are using keyloggers on their company PCs to monitor employees for internet and general PC usage conformance. Part of the challenge is the legality surrounding the use of keyloggers since they infringe on the privacy of the PC users and the fact that it is not easy to identify a keylogger, which may used to monitor PC usage. The Project therefore seeks to address the problem of use of keyloggers in gathering digital evidence on personal computers.

1.3 Objectives

1.3.1 General Objective.

The common goal of this project is to scale keyloggers and establish an application for detecting keyloggers, which attackers may use to collect digital evidence on PCs.

1.3.2 Specific Objectives

i. To recognize the main elements of keyloggers which attackers can use in collecting digital evidence

ii. To scale the primary elements of keyloggers iii. To establish a benchmarking method for detecting keyloggers in collecting digital evidence

1.4 Scope

The project will primarily focus on software keyloggers because they have more elements compared to hardware keyloggers. The attackers keenly choose software keyloggers from the internet. The application established will help out in collecting digital evidence on PCs.

1.5 Project Justification

This research project, aims on establishing a system for recognizing keyloggers, which can assist in collecting digital evidence, will help Information security professionals achieve the following:

i. Recognize keyloggers, which have the ability to collect digital evidence on PCs.

ii. Identify what bounds to look at when collecting digital evidence on PCs.

iii. Identify how to handle the digital evidence collected on PCs to uphold its integrity.

More so, the project will add to the existing literature on keyloggers and digital evidence. It will also help Information Security experts in collecting digital evidence on personal computers in cases of cyber crimes (Kotadia, 2006). The evidence collected will assist in prosecuting attackers who target personal PCs.

2.0 Literature Review

2.1 Background

Keyloggers have existed for many years and it is a belief that the U.S. government first used them for secretly monitor PCs. However, it is also a belief that they used them in the early 90’s though some suggest that the first keylogger appeared before and some claim they appeared later. Keyloggers have become one of the most influential applications in use to secretly monitor PCs. Developments in the globe have shown how simple it is to obtain all sorts of data with the help of computers. This information is important for a selection of efforts, and criminal action is a significant among the efforts. In a bid to curb this new crime, law enforcement agencies, financial organizations, and investment firms are utilizing computer forensics into their resources. From network security violation to children pornography researches, the general bridge is the illustration that the specific electronic media provided by the evidence that would incriminate them. Supportive exploration procedures should be in place to show that the electronic media contains the incriminating evidence, Ashcroft et al. (2004).

Ashcroft et al. (2004), suggests five steps, which researchers should follow when conducting a computer forensic examination. These steps include the following and suggest the order in which they should take place.

Policy and Procedure Development: Computer forensic as a regulation that requires specially trained experts, support from administration, and the essential funding to keep the unit working. Departments should implement policies and procedures for the operation of a computer forensic department.

Evidence Assessment: The digital evidence requires a systematic assessment concerning the case to establish the path of accomplishment.

Evidence Acquisition: Digital evidence, by it is very nature is fragile and may threaten to change, damage, or destruction by inappropriate examination. For these reasons, there is a need for exceptional measures to safeguard the evidence. Failure to do so may turn into it useless or lead to inadequate conclusion.

Evidence Examination: General forensic policies apply when scrutinizing evidence. Diverse cases and media may call for different techniques of evaluation. Persons assessing digital evidence require exceptional training for this objective.

Documenting and Reporting: The examiner is accountable for accurate reporting the results and the outcomes of the evaluation of the digital examination. Documentation is a continuous activity throughout the evaluation. It is significant to monitor the steps taken during the digital evidence examination.

In the current scenario, security concerns are top for any firm. Attackers are using different key logging methods to access private data especially user login details. Once the attacker gets the credentials, they can easily validate themselves as the system user.

In (Gong, 2010) the author has proposed a new pattern of virtual keyboard. The solution in this paper highlights on login record protection from screen capture software by using the idea of reorganizing of the keys (Adhikary et al., 2007). This is providing solution to screen capturing software. Nevertheless, this captures the screen only when an event occurs. While in case of screen, recording software there is no need of case occurrence. It is easy to guess keystrokes by analyzing the recorded video. In (Agarwal and Mehra, 2011) the authors have put forward a resolution to the screen capturing keylogger by using a color coding system and vibrant keyboard.

The major fault of this way out is that an attacker can recognize the keys clicked on a keyboard. This is possible by assessing the model of screen shot captured from the first appearance of the keyboard when no production of color coding mechanism. Seref and Gurol (2009) discuss about the increasing risks to computer security and the privacy. They explain various methods of key logging and illustrate in detail working of keyloggers. There are diverse places to put the keylogger. It can be anywhere between any virtual keyboard and windows operating system. The comprehensive investigation shows that the right place to add anti-keylogging mechanism is just before the window operating system (Gong, 2010). The existing representations do not offer full-fledged clarification to key logging and screen recording software. They allow for security to some degree to key logging and screen capturing software and this call for some solution to prevent this from happening.

2.2 The concept of Keylogging

Keylogging is the method of tracking (or logging) the keys struck on the keyboard naturally in a secret way so that the person using the PC does not notice that their action are being monitored. On the other hand, a keylogger is a program that runs in the locale, monitoring and subsequently recording all the keystrokes typed on a keyboard in a hidden move so that the person using the keyboard is unaware that someone is monitoring their activities. Keyloggers can either come as hardware or software programs (Actual Spy, 2009).

2.2.1 Hardware keyloggers

Hardware-based keyloggers do not rely upon any installed software installed, because they exist in a hardware level in a computer system, (Bhaid and Mahmood, 2007). The primary advantage of hardware keyloggers is that it is hard to notice when using software and spyware scanners. Hardware keyloggers store the collected data in their own internal memory chip.

2.2.2 Software keyloggers

The design of software keyloggers gives them the capacity to work on the target PCs operating system. There are five groups, (Olzak, 2008), of Keystroke logging:

Hypervisor-based: they have the ability to reside in a malware hypervisor running in the background of the operating system, which remains unnoticed. It efficiently becomes an essential machine.

Kernel based: This technique is complicated to both program and combat. Such keyloggers dwell at the kernel stage and are thus undetected. They exist and executed as root kits that subvert the operating system kernel and acquire access to the hardware, giving them a powerful working mode. A keylogger using this technique act as a keyboard application for example, and gain access to any information typed on the keyboard as it later finds its way to the operating system.

Hook based: These types of keyloggers hook the keyboard with the help of functionality presented by the operating system for applications to give to keyboard situations legally. The operating system makes the keylogger aware every time a key is pressed and the keylogger monitors and records the keystrokes.

Passive Methods: In this technique, the coder utilizes the operating system APIs such as GetAsyncKeyState, GetForegroundWindow, etc. To analyze the situation of the keyboard in order to get access to keyboard events.

Form Grabber based: In this for, Form Grabber-based keyloggers, the keyloggers get log web form submissions by monitoring the web browsing on put forward event tasks. In so doing, the keylogger obtains form information before it gets over the internet and by passes encryption.

2.3 Features of keyloggers

Software keyloggers have more attributes compared to hardware keyloggers. Some software keyloggers have an additional characteristic to send an electronic message of the monitored keystrokes to a pre-specified email box where it is later accessed. Other software keyloggers can also record incoming and outgoing internet traffic and even detect screen shots, but this tends to reduce the speed of even the fastest PC. The screen shots captured can quickly fill the hard disk space and lead to instability of the system (Kotadia, 2006). As keyloggers become advanced, the capacity to detect the keyloggers becomes complicated and they can even breach a user’s privacy for months or even years without notification. During that period, a keylogger can gather a lot of information from the PC in record, (Martin and Sylvain, 2009). According to John Leyden (2000), software keyloggers may come with features that capture the user’s data without depending on keyboard key presses as the central input.

2.4 Key loggers as a means of gathering Digital Evidence

Digital evidence or electronic evidence refers to any probative information stored or conveyed in digital outline that a party in a court case may use during trial (Stephen, 2008). Although many courts in the United States have applied the Federal Rules of Evidence to digital proof similarly to traditional documents; the courts have realized very significant diversification. Compared to the traditional evidence, courts have realized that digital evidence is likely to voluminous, difficulty in destruction, modifiable, easy to duplicate, expressive, and readily available. For this reasons, some courts have perceived the digital evidence differently for intentions of authentication. Additionally, in December 2006, the Federal Rules of Civil Procedure enacted stern new rules implemented required the preservation and revelation of electronically stored proof (Eoghan, 2009).

Keyloggers can offer detective assistance on PCs because of the different features they have. Keyloggers have become very common and accessible free of charge from the internet therefore making them readily available for use as a detective tool on personal computers. Detective tools for PCs are very expensive therefore making keyloggers an option for people and attackers. The capacity of keyloggers to work sneakily without the computer user knowing they exist makes them good for secretive surveillance on PCs. The computer users will not know their computer activity is in record and only he or she can access its logs (Richards, 2007). Keyloggers are able to record a lot of information, which can later translate to digital evidence and used to prosecute computer crimes. It is possible to evaluate all the data collected by keyloggers and used to conduct forensic investigations.

2.5 Challenges of Keyloggers

Computer Security is a significant issue of apprehension for almost every computer user and firms that use computers. Keyloggers have raised concerns for computer privacy and the security of electronic data. One of the challenges with keyloggers is the anxiety of probable violation of privacy. Keyloggers once unknowingly installed on a PC will collect many data thus putting susceptible information at threat. There are several legal issues, which besiege the use of keyloggers. In order to execute keyloggers on PCs, there is a need for full legal consent of the PC user. Inadequacy of this can translate to legal action against the people executing and installing the keyloggers.

Keyloggers portray a probable source of computer malware. Hardware keyloggers have a memory, which has the capacity to store malware for some time making them able to harm a PC. On the contrary, software keyloggers work in a similar manner with Trojan horses thus attacking the computer system under the camouflage of a program performing a different task. Gathering useful data from a keylogger is a complicated task. Each keylogger has a diverse manner of representing the keystrokes information making it complicated to understand the recorded information.

2.6 Conclusion

In conclusion, keyloggers primarily objected to serve as spyware and serve to accomplish harmful purpose. Although keyloggers have their own difficulties, they can assist in the detective field in collecting digital proof on PCs. However, there is a need to consider some important things before selecting a keylogger as a tool for collecting evidence on a PC. It is important to analyze the information gathered by the keylogger to serve the intended purpose. In addition, there is a need to handle the information collected by the keylogger according to the laid down techniques for it to serve as digital evidence, which can help in prosecuting cyber crime. This project seeks to develop an application, which may help to identify keyloggers. Methodology 3.1 Introduction

Software keyloggers are a group of invasive software growing rapidly often used to access information. One reason for the increased development is the possibility for unprivileged programs running in user space to find a way and record all the keystrokes typed by a system’s user. The capability to operate in unprivileged mode enhances their implementation and circulation, but at the same time allows for comprehension about their framework and behavior in detail. Leveraging this attribute, this chapter aims to propose a new detection method that will help in careful stimulation of the crafted keystroke sequences in input and monitors the behavior of the keylogger in output to recognize it in the midst of all the running processes. The attackers can implement keyloggers as tiny hardware devices; however, most of the attackers prefer them in software because it is more convenient than in hardware form (Holz, Engelberth and Freiling, 2009).

For instance, keyloggers implemented by a kernel module operate with complete privileges in the kernel space. Subsequently, it is possible to implement a completely unprivileged keylogger by a simple user space process (Le et al., 2008). This is because a user-space keylogger has the capacity to depend on documented sets of unprivileged APIs, which are available on the latest operating systems. In addition, a keylogger implemented through a user-space process is easy to employ because there is no need of special permission. Therefore, a user can regard the keylogger as a harmless piece of software and fall in the trap of executing. On the contrary, in the case of kernel space keyloggers, the user will require to have special privileges in order to install and execute the unsigned code within the kernel. In addition, operating systems such as Windows Vista or Windows 7 will not allow for this practice (Ruthkowska, 2007).

This chapter proposes a new model to detect keyloggers running as unprivileged user space processes. In order to match the deployment framework, the implementation of the technique based in an unprivileged process. This solution is portable, un-intrusive, easy to execute, but very efficient. Additionally, the proposed method is fully black box (central to general behavioral attributes of all keyloggers) (Ortolani et al., 2003). In simple terms, this technique does not depend on the internal structure of the keylogger or the specific set of APIs utilized. In addition, this solution is practical. In case of prototyping or evaluating the approach provided in this chapter, against available keyloggers, it will definitely prove efficient in all cases (Holz, Engelberth and Freiling, 2009).

3.2 Modern keylogger

Violating an individual’s privacy by logging his or her keystrokes is possible at varying many levels. For instance, an attacker who has physical access to the PC can wiretap the hardware of the keyboard. In turn, a dishonest Internet cafe owner may find it convenient to buy a software solution, execute on all terminals, hence all the logs will drop on his own PC (Zhuang, Zhou and Tygar, 2009). Depending on the environment, it is possible to implement a keylogger in many varying ways. In an example, external keyloggers depend on physical access, produced by either typing, or electromagnetic waves resulting from a wireless keyboard. In addition, hardware keyloggers are external devices, however placed in between the keyboard and motherboard for efficient implementation (Majid, 2011). However, all the examples provided require one to physically access the target PC.

In order to overcome the challenges identified in the provided examples, attackers are now utilizing software models. Hypervisor-based keyloggers such as BluePill are examples of software evolution resulting from hardware-based key loggers, which perform an attack between the hardware and operating system. However, implementation of the Kernel keyloggers is a bit complicated. Contrary to the hypervisor-based model, hooks used to intercept buffer-processing cases or other kernel information. Overall, all the stated approaches require a privileged access to the PC. In addition, writing a kernel driver hypervisor-based model is a challenge because it needs substantial effort and knowledge for an efficient and bug-free implementation. On the other hand, user-space keyloggers does not need either super-user privileges or a limitation that allows for a kernel code implementation. Moreover, user-space keylogger writers can depend on well-documented sets of APIs presented in current operating systems, which do not require special programming skills (Le et al., 2008).

In addition, keyloggers fall under several groups depending on the scope of the hooked data structures. Owing to the fact that a system can hold several applications, it is possible to intercept keystrokes both globally and locally. We term these two categories of user-space keyloggers type I and type. Figure 1 shows the put forward classification: the left pane shows the process of delivering a keystroke to the purposed application, whereas the right pane highlights the specific module subverted by each category of keylogger (Ortolani et al., 2003). It is easy to implement both types in Windows, while the facilities present in Unix-like OSes, X11 and GTK required allow for a straightforward implementation of the invasive type 1 keyloggers. Table 1 presents a list of all the APIs applicable to implement a user-space keylogger. Briefly, the Set- WindowsHookEx () and gdk_window_add_filter () APIs are used to interject the keylogging practice prior to a keystroke is efficiently delivered to the targeted application. For SetWindowsHookEx (), this is possible by setting the last parameter (thread_id) to 0 (which subscribes to any keyboard occasion).

Type

Comments

Windows APIS

Type 1

SetWindowsHookEx (WH_KEYBOARD_LL, …, 0)

GetAsyncKeyState ()

The keylogging procedure given as an argument

Poll-based

Type II

SetWindowsHookEx (WH_KEYBOARD, …, 0)

GetKeyboardState ()

GetKeyState ()

SetWindowLong (…, GWL_WNDPROC, …)

Intercepting fDispatch, Get, TranslategMessage ()

The keylogging procedure given as an argument

Poll-based

Poll-based

Overwrites the default procedure

Manual instrumentation of Win32 APIs

Unix like APIs

Type I

gdk_window_add_filter (NULL, …)

inb (0x60)

XQueryKeymap ()

keylogging procedure given as argument.GTK API

Poll-based and available only to the super-user

Poll-based X11 API

For gdk_window_ add filter (), it is adequate to set the handler of the examined window to NULL. The category of functions XQueryKeymap (), and inb (0x60) doubt the state of the keyboard and result to a vector with the state of all (one in case of Get Key- State ()) the keystrokes (Majid, 2011). When using these functions, the keylogger must regularly tap the keyboard to interrupt all the keystrokes (Majid, 2011). The functions of the last category have a relation only to Windows, which overwrite the default address of keystroke-related functions in all the Win32 graphical applications. We have not found any example of this particular class of keyloggers in Unix-like OSes. Since some of the APIs have just local scope, Type II keyloggers need to inject part of their code in a shared portion of the address space to have all the processes execute the provided callback. The only exception is with a Type II keylogger that uses either GetKeyState () or GetKeyboardState ().

From the analysis provided, implementation of all user-space keyloggers is either hook-based or uses polling mechanisms. Secondly, all APIS are legitimate and have a good documentation. Third, all current modern operating systems offer a wide range of APIs. Specifically, they provide the capacity to capture keystrokes despite of the focus on application. The design choice will be initiated by the need to support the functionalities for valid applications. There are some situations that where the ability to interrupt keystrokes is a fundamental need; these situations include. Keyboards with some additional special functional keys, windows manager characterized by system defined shortcuts and background user applications whose implementation results by user-defined shortcuts (Zhuang, Zhou and Tygar, 2009). However, it is possible to implement the functionalities with available APIs.

Characteristics of Keylggers as Legitimate Applications

Ease of execution: A functional yet minimal keylogger can undergo implementation in less than 100 lines of C# code. Owing to this, it is possible to enforce polymorphic or metamorphic behavior to thwart signature-based precautions.

Cross version: By relying on documented and firm APIs, it is possible to deploy a specific keylogger on various versions of similar operating systems.

Unprivileged installation: There is no need for special privileges needed in order to execute a keylogger. Therefore, it is not required to look for particular exploits to install arbitrary privileged codes.

Unprivileged execution: It is hard to notice a keylogger during normal execution. In addition, the executable does not require to obtain privileged rights.

3.3 Approach

The approach provided in this chapter focuses on designing a detection method for unprivileged user-space keyloggers. In contrast to other classes of keyloggers, a user-space keylogger is process that appears in the background, which records operating system supported hooks and log every keystroke issued by a user into the present foreground application. The objective is to stop user-space keyloggers from acquiring private information intended for a trusted foreground application. The proposed model examines the possibility of separating the keylogger in a controlled setting, where its behavior is exposed to the detection model. The method involves controlling the keystroke cases that leads to the attacker accessing or rather receiving input, and regularly monitoring the input output activities generated by the keylogger in output (Williams, 2007).

In order to accomplish the detection, we control the correlation between the input and output of the controlled setting, which the keyloggers can model with outstanding estimation (Goodwin and Leeach, 2008). In addition, despite the transformations performed by the keylogger, somehow the pattern observed in the keystroke events in input will result in the I/O activity output. However, when I/O is controlled it is possible to identify general I/O models and flag detection. Nevertheless, selecting the input pattern, before, will help in preventing detections and attempts to avoid detection. In order to detect background keylogging, this method constitutes a preprocessing step to shift the focus to the background forcefully. In addition, this method is necessary to prevent flagging foreground applications that legitimately react to user-issued keystrokes such as word processors.

The advantage of this method is that it is central around a black-box approach that fully ignores a keylogger internals. In addition, monitoring I/O is a non-intrusive procedure, which multiple processes can perform it simultaneously. As a result, the proposed method can handle a large number of keyloggers transparently and enables an unprivileged system to have the ability to detect all running processes on a particular system (Hsu and Smith, 2003). The proposed approach ignores the content of the input and output information, and primarily focuses on their circulation. Confining the approach to a quantitative analysis will enable the capacity to implement the detection method with only unprivileged mechanisms. However, the proposed model poses some challenges such as; first, it is important to deal with probable data adjustments that may bring rise to variances amid the input and the output patterns.

Chapter 4: System Analysis and Design

4.1 Design

The proposed design relies on five different components: injector, monitor, pattern translator, detector, pattern generator. The operating system deals with the details of I/O and event handling. The operating system realm does not picture all the details to the upper levels without using privileged API. As a result, the injector and the monitor operate at another standard of abstraction, the Stream Domain. At this level, keystroke events and the bytes output by a process come into view as a stream produced at a specific rate (Hsu and Smith, 2003). The role of the injector is to introduce a keystroke stream to create the behavior of a user typing at the keyboard. Similarly, the monitor monitors a stream of bytes to obtain the output habit of a specific process regularly. A stream depiction is only concerned with the circulation of keystrokes or bytes produced over a given window of scrutiny, without utilizing any additional qualitative information. The injector receives the input stream from the module translator, which serves as link between the Stream Domain and the Pattern Domain. Similarly, the monitor sends the output stream recorded to the pattern translator for additional evaluation.

In the Pattern realm, the input stream and the output stream both symbolized in a conceptual appearance, referred to Abstract Keystroke Pattern (AKP). A prototype in the AKP form is a discredited and common representation of a stream. Utilizing a compact and consistent representation is significant for various reasons (Ortolani et al., 2003). First, this provides the pattern generator to focus on producing an input module that pursues a yearning circulation of values. Details on how to inject a specific circulation of keystrokes into the system delegated to the pattern translator and the injector. Second, the same input pattern reprocessed to produce and inject several input streams with different properties but following the same underlying distribution. Finally, the capacity to reason over conceptual representations makes the role of the detector easy, which only receives an input pattern and an output pattern and makes the concluding decision on whether or not to trigger detection (Brumley et al., 2008).

4.1.1 Injector

The function of the injector is to insert the input stream into the structure, imitating the behavior of a user on the keyboard. By architecture, the injector must satisfy some important requirements. First, it should only depend on unprivileged API calls. Second, it should have the capacity to inject keystrokes at distinguishable rates equivalent the circulation of the input stream (Ortolani et al., 2003). Finally, the resulting chain of keystroke events generated should not vary from those produced by the correct user. In other words, no user-space keylogger should be in a position to note a difference in the two different events. To tackle all these subjects, we control the same method utilized during an automated testing. On Windows-based operating systems, this functionality happens because of the facilitation by the API call keybd_event. In all Unix-like OSes supporting X11, the same functionality offered via the API call XTestFakeKeyEvent.

4.1.2 Monitor

The monitor’s task is to record the output stream of all the processes running in the foreground. Similarly, to the injector, the monitor will allow only unprivileged API calls. Additionally, the monitor favors strategies to perform real-time observations with minimal overhead and the best rank of resolution probable. Finally, we desire an application-level statistics of I/O processes, to prevent dealing with file system level caching or other menaces. Fortunately, most current operating systems offer unprivileged API calls to allow performance counters on a per-process source. On all the versions of Windows since Windows NT 4.0, the Windows Management Instrumentation (WMI) offers this functionality. Specifically, the performance counters of each process presented via the class Win32_Process, which supports an efficient query-centered boundary.

The counter WriteTransferCount comprises the total number of bytes written by the process since its creation. It is significant to note that scrutinizing the network activity is probable; however, it needs a current version of Windows such as Windows Vista (Ruthkowska, 2007). To design the output stream of a particular process, the monitor checks this piece of information at frequent time intermissions, and records the number of bytes written since the last query. The proposed method has a link to Windows-based operating systems. Nevertheless, we identify out that as strategies can be realized in other OSes; both Linux and OSX, in fact, support corresponding performance counters, which are available in an unprivileged manner.

4.1.3 Pattern Translator

The function of the prototype translator is to convert an AKP into a stream, within a given a set of design bounds. It is possible to model a pattern in the AKP form into a series of illustrations coming from a stream sampled with a standardized time intermission. A test PI of a pattern P. is a conceptual representation of the number of keystrokes given out during the time interval i. In addition, each test is stored in a normalized outline in the intermission [0; 1], where 0 and 1 represent the predefined least and utmost number of keystrokes in a particular time intermission. In order to convert an input model into a keystroke stream, the pattern translator reflects on the following design parameters, N representing the number of samples in the pattern; T, representing the regular time intermission among any two consecutive samples; Kin, representing the minimum number of keystrokes per sample allowed; and Kmax, representing the maximum number of keystrokes per sample allowed (Ortolani et al., 2003).

When transforming an input pattern in the AKP form into an input stream, the pattern translator produces, for every time interval i, a keystroke stream with an standard keystroke rate _R I = Pi_(Imax?

Kmin)+Kmin T . The iteration is recurred N. times to envelop all the samples in the creative pattern. Overall, there is adoption of a comparable approach when adjusting an output byte stream into a pattern in the AKP appearance. The pattern translator utilizes similar parameters used in the generation phase and assigns Pi = _R i_T Kmin Kmax Kmin where _R I is the constant keystroke rate measured in the time intermission i. The translator presumes an association among keystrokes and bytes and treats them as equivalent as base units of the input and output stream, consecutively. This presumption does not always apply in practice and the detection algorithm has to put in mind any possible scale adjustment among the input and the output module.

4.1.4 Detector

The accomplishment of the proposed detection algorithm lies in the capacity to suppose a cause effect relationship among the keystroke stream injected in the system and the I/O behavior of a keylogger process, or, particularly, between the relevant patterns in AKP appearance. While it is significant to explore each process in the system, the detection algorithm functions on one process within a set timeline, recognizing whether there is adequate similarity between the input module and the output pattern acquired from the evaluation of the I/O behavior of the process on target. Additionally, given a predefined input pattern and an output pattern of a specific process, the objective of the detection algorithm is to establish whether there is a correlation in the patterns and it is possible to recognize the target process as a keylogger (Goodwin and Leech, 2008).

The first step in the creation of a detection algorithm comes down to the implementation of an appropriate metric to gauge the similarity between any two given patterns. In standard, the AKP representation provides for several applicable measures of dependence that have similarity two discrete series and enumerate their relationship. In practice, we depend on a single measure motivated by elements of the two modules. The proposed detection algorithm borrows from Pearson product-moment correlation coefficient (PCC), one of the broadly utilized correlation precautions (Benesty, Chan and Huang, 2008). Given two discrete sequences described by two patterns P. And Q. with N. samples, the PCC is defined where cov (P; Q) is the sample covariance, _P and _Q represent the sample typical differences, and _ P. And _Q represent the test means. The interest in the PCC is primarily because of its appealing mathematical characteristics.

In addition, PCC gauges the strength of a linear correlation between two sequences of samples. In this context, a linear dependence estimates the correlation between the input pattern and an output pattern resulting from a keylogger. Briefly, the PCC is flexible to any alteration in location and scale, namely no difference can be observed in the correlation coefficient if every sample Pi of any of the two patterns is changed into a _ Pi + b, whereby a and b are random constants. In addition, the input pattern and an output pattern will show similarity if every keystroke injected is replicated as it is in the outcome of a keylogger process (Rodgers and Nicewander, 1988).

In practice, different data adjustments performed by the keylogger can change the original organization in various ways. First, a keylogger may encode each keystroke in a series of one or more bytes. As outlined earlier, the change in scale will not affect the relationship coefficient and the PCC will produce the same values. Similar arguments are legitimate for keyloggers utilizing a variable length representation to store keystrokes. For instance, a typical application of the location invariance property is the capacity to moderate the influence of buffering (Sharon, Bruce and John, 2006). When the keylogger incorporates a fixed-size buffer with a size similar to the number of keystrokes injected at each time intermission, it is easy to show that it does not affect PCC is substantially.

For instance, the event when the buffer size is smaller than the minimum number of keystrokes Kmin. Using this assumption, it is possible to remove the buffer at least once per time interval. The number of keystrokes remaining in the buffer at each time interval establishes the number of keystrokes not included in the output pattern. Depending on the circulation of tests in the input pattern, we assume the number would settle to something like z. The geometric meaning of the z is the constant number of keystrokes dropped per time interval. In addition, we can approximate the number by a location change of the creative pattern by an element of z, which has no influence on the value of PCC. The last example shows the significance of selecting a proper Kmin when the influence of fixed-size buffers must be considered. It is apparent, according to the examples discussed, that PCC is tough to several potential data conversions.

A fundamental factor to consider is, however, the number of tests accumulated. A larger number of tests are important especially in case of disturbing elements. In addition, selecting a larger number of tests could, decrease the unfavorable outcome of errors resulting from measurement errors. The detection algorithm proposed in the detector, depends on the PCC to approximate the link between an input and an output model. In order to establish whether a given PCC value should activate detection, a thresholding system is used. The proposed detection algorithm will infer a fundamental relationship between two patterns by evaluating their correlation. Additionally, experience shows that it is not possible to use a correlation to entail causation in the common case. In order to stay away from false positives, it is significant to collect strong evidence to infer with good likelihood that a given process is a keylogger.

4.1.5 Pattern Generator

The proposed pattern generator aims to support varying pattern production algorithms. In additionally, the pattern generator has the capacity to leverage any algorithm generating a legitimate pattern in AKP form. This part proposes a number of pattern production algorithms and explains their characteristics. The first significant problem to reflect on is the influence of variability in the input module. Experience shows that correlations tend to be stronger when samples circulated over a wider range of values (Aldrich, 1995). This means that, the more the variability in the given circulations, the more accurate the resulting PCC computed values. This suggests that a robust input pattern should contain samples on the entire target interval [0; 1]. The range of keystroke rates used in the pattern translation process also similarly influences the standard of variability in the input stream. The higher the range delimited by the minimum keystroke rate and maximum keystroke rate, the more credible the outcomes.

Chapter 5: System Implementation

To analyze the proposed detection method, we implemented a prototype based on the concepts outlined in the paper. The program having written in C# in 7000 LoC, it runs as an unprivileged application for the Windows operating system. It also gathers simultaneously all the processes’ input output patterns, thereby allowing for evaluation of the whole system in a single process. Although the design put forward can easily extend other operating systems, the focus is Windows for the substantial number of keyloggers presented. The ultimate goal is to understand the efficiency of the technique and its applicability to realistic settings. For this purpose, we evaluated our prototype against many publicly available keyloggers. In this context, the proposed evaluation uses the false negatives to assess the efficiency of the technique.

5.1 False Positives

In this approach, false positives may happen when the output pattern of some process mistakably scores an important PCC value. If the value is high than the chosen threshold, a false detection is flagged. In order to create representative fake workloads for the PC user, this technique adopts the broadly used SYSmark 2004 SE suite. The suite utilizes common Windows interactive applications to produce practical workloads that imitate common user situations with input. In its 2004 SE version, SYSmark supports the Internet Content Creation and Office Productivity. Additionally, we also tried with another workload copying an idle Windows system with general user applications 1 running in the background, and no input allowed by the user.

For each scenario, we repeatedly reproduced the synthetic workloads on a number of varying PCs and gathered I/O traces of all the running processes for several possible sampling intervals T (Hsu and Smith, 2003). Each trace was stored as a set of output patterns and broken down into k consecutive chunks of N. samples. There was a redo of each experiment twice. In addition, we used patterns from the first patterns to train our workload aware pattern production algorithm and the second utilized for testing. In the testing stage, the maximum PCC between was measured every generated input pattern of length N. And every output pattern in the testing sample. At the end of each experiment, we averaged all the results.

In addition, there was testing for all the workload diagnostic pattern production procedures generated previously. In this case, the study relied on an instrumented version of the prototype to gauge the maximum PCC in all the represented scenarios for all the k chunks. The first activity is to analyze the pattern length N, analyzing its impact with T = 1000ms. The figure below shows the results of the experiments for the Idle, Internet, and Office workload. The behavior shown is equivalent in all the workload scenarios explored. The difference noted is that the Office workload depicts an unstable PCC circulation. This is because of the irregular I/O workload observed. It is apparent from the figures, the maximum PCC value decreases as N. increases. This affirms the perception that for small N, the PCC may result to unstable and incredible results, possibly assigning very high correlation values to regular system processes.

In addition, the maximum PCC decreases rapidly and, for instance, for N > 30, its value is below 0:35. Concerning the pattern production algorithms, they all show similar behaviors. Notably, RFR produces the most stable PCC circulation. This is evident for the Office workload. In addition, our workload-aware algorithm WLD does not perform better than any other workload-agnostic pattern production algorithm. The above evidence suggests that, concerning the value of N, the output pattern of a process at any given time is not necessarily a good predictor of the output pattern that may arise next. This shows the low level of predictability in the I/O behavior of a process. From the same figures we it is possible to monitor the effect of the parameter T. On input patterns produced by the IMP algorithm (with N = 50). For small values of T, IMP outperforms all the other algorithms by generating tremendously anomalous I/O patterns in the entire scenarios (Hsu and Smith, 2003). As T. increases, the irregularity diminishes and IMP links to the behavior of the other algorithms closely. Generally, for rational values of T, all the pattern production algorithms show a constant PCC circulation.

This affirms the attribute of self-similarity of the I/O traffic. Apparently, RFR and WLD depict a solid circulation of the PCC. This is because of the utilization of a fixed variety of values in both cases, and verifies the perception that more variability in the input pattern results to results that are more accurate. However, for very small values of T, WLD achieves substantially. This is a clue that predicting the I/O behavior of a generic process in an accurate way is only realistic for small windows of scrutiny. In all the other cases, we believe that the density of implementing a workload-aware algorithm substantially outweighs its advantages. In this evaluation, it is apparent that it is possible to acquire similar PCC circulations with very diverse types of workload, suggesting that it is probable to choose similar thresholds for many varying environments. For reasonable values of N. And T, a threshold of _ 0:5 are adequate to rule out the possibility of false positives, while being able to detect most keyloggers efficiently. In addition, the use of a stable pattern production algorithm like RFR could significantly assist in minimizing the intensity of unpredictability in various settings.

Chapter 6: Conclusion and Recommendations

6.1 Conclusion

This paper presents an unprivileged black box to help in detecting the most general keyloggers. The information provided modeled the attributes of a keylogger by creating a connection with the input and the output. In addition, the information augments with the capacity to inject keenly constructed keystroke modules. In the different chapters of the paper, there is development of a discussion on the problem to selecting the best-input module to enhance the detection rate (Ortolani et al., 2003). In addition, the paper provides an implementation of the selected method on Windows, the prone operating system to the risk of keyloggers. In order to develop an operating dependent architecture, the paper provides an implementation details for other operating systems. In addition, there is comprehensive evaluation of the prototype against common keyloggers with no false positives apparent. The developed technique may after sometime prove vulnerable; however, the present approach provided raises the protection status against risk of keyloggers.

6.2 Recommendation

The extensive research conducted in this paper will yield positive results; therefore, I am certain that the results shown from the framework developed will certainly work. In order to facilitate integration and stability of the model, this calls for more tests on a large number of keyloggers from the various categories on a working environment. Therefore, this calls for extensive and empirically tested research on the same topic.

References

Actual Spy, (2009). Keyloggers. Retrieved February 20, 2010 from http://www.actualspy.com/articles/keyloggers.html

Adhikary et al. (2012). Battering Keyloggers and Screen Recording Software by fabricating

Passwords I.J. Computer Network and Information Security, 5, 13-21.

Aldrich, J. (1995). Correlations Genuine and Spurious in Pearson and Yule. Statistical Science,

10(4), 364-376.

Ashcroft, J., Daniels, J., Deborah, Hart, V.S. (2004). Forensic Examination of Digital

Evidence. A Guide for Law Enforcement.

Baig, M.M., & Mahmood, W. (2007). A Robust Technique of Anti-key-logging using Key-logging Mechanism. Inaugural IEEE-IES, 314-318.

Benesty, J., Chen, J., & Huang, Y. (2008). On the Importance of the Pearson Correlation

Coefficient in Noise Reduction. IEE Trans. On Audio, Speech, and Language Processing, 16(4), 757.

Brumley et al. (2008). Automatically Identifying Trigger-based Behavior in Malware. Advances in Information Security, 36, 65-88.

David, B. (2009). Cyber crime in Uganda. Retrieved April 20, 2010 from http://www.dpp.go.ug/pespectives_cyber.php.

Eoghan, C. (2009). Handbook for Digital Forensics and Investigations.

Ilkyeun Ra, Tae-Kyou Park, (2009). A Forensic Logging System based on a Secure Operating

System.

Goodwin, L., & Leech, N. (2006). Understanding Correlation: Factors that affect the Size r.

experimental Education, 74(3), 249-266.

Gong, S. (2010). Design and Implementation of Anti-Screenshot Virtual Keyboard Applied in Online Banking. E-Business and E-Government (ICEE) International Conference, 1320-1322.

Herley, C., & Florencio, D. (2006, July). How to Login from an Internet Cafe without worrying about Keyloggers. In Symposium on Usable Privacy and Security (SOUPS), 6.

Holz, T., Engelberth, M., & Freilling, F. (2009). Learning More About the Undergound

Economy: A Case Study of Keyloggers and Dropzones. Proc. Of the 14th Symposium on Research in Computer Security, 1-18.

Hsu, W., & Smith, A. (2003). Characteristics of I/O Traffic in Personal Computer and Server

Workloads. IBM System Journal, 42(2), 347-372.

John, C. (2005). The Evolution of Malicious IRC Bots. Retrieved March 25, 2011.

Khun, W.H. (1955). The Hungarian method for the Assignment Problem. Natural research

Logistics Quarterly, 2, 83-97.

Kochenberger, G., Glover, F., & Alidaee, B. (2002). An Effective Approach for Solving the Binary Assignment Problem with Side Constraints. Information Technology and Decision Making, 1, 121-129.

Kotadia, M. (2006). Keylogger Spying at Work on the Rise, Survey Says. CNETNews.com.

Retrieved 20th Septemeber, 2013 from http://news.com.com/Keylogger+spying+at+work+on+the+rise,+survey+says/2100-7355_3-6072948.html

Lane, F.S. (2003). The Naked Employee: How Technology is Compromising Workplace

Privacy. AMACOM American Management, 128-130.

Le et al. (2008). Detecting Kernel Level Keyloggers through Dynamic Taint Analysis. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.215.4003&rep=rep1&type=pdf

Majid, F. (2011). Detecting keylogger Virus by Monitoring Keyboard Driver Stack. Al-Mansour

Journal Issue, 16, 75-88.

Martin, V., and Sylvain, P. (2009). Compromising Electromagnetic Emanations of Wired and Wireless Keyboards.

Moore, R. (2005). Cybercrime: Investigating High-Technology Computer Crime.

Olzak, T. (2008). Keystroke logging (keylogging). Adventures in Security, April.

Ortolani et al. (2013). Unprivileged Black-box Detection of User-space Keyloggers. IEE

Transactions on Dependable and Secure Computing, 10(1).

Paul, R. (2005). Electronic Evidence – Law and Practice. Problems with keyloggers.

Retrieved April 20, 2013 from http//www.ehow.com/list_7252161_problems-keyloggers.html.

Rodgers, L.J., & Nicewander, A.W. (1988). Thirteen Ways to Look at the Correlation

Coefficient. The American Statician, 42(1), 59-66.

Ruthkowska, J. (2007). Subverting Vista Kernel for Fun and Profit. Black Hat Briefings.

Seref, S., & Gurol, C. (2009). Keyloggers Increasing Threats to Computer Security and Privacy.

IEE Technology and Society Magazine, 10-17.

Sharon, N., Bruce, A.O., & John, W.S. (2006). The Electronic Evidence and Discovery

Handbook.

Stephen, M. (2008). International Electronic Evidence. British Institute of international and Comparative Law.

Zhuang, L., Zhou, F., & Tygar, D.J. (2009). Keyboard Acoustic Emanations Revisited. ACM

Trans. On Information and System Security, 13(1), 1 — 26.

Williams. (2007). I Know What You Did Last Logon: Monitoring Software, Spyware and Privacy. Microsoft Security News, 4 (6). Retrieved

http://www.virusbtn.com/conference/vb2006/abstracts/Williams.xml

Wood, C., & Raj, R. (2010). Keyloggers in Cyber security Education. In Security and Management, 293-299.

Project Time Frame.

Number

Activity

Proposed Start Date

End Date

1

Proposal writing and approval

2

Surveying literature and frame work development

3

Methodology, planning, requirements analysis and design.

4

Implementations.

5

Testing and evaluations.

6

Report consolidation and handing in.

50

0.1

0.9

Internet Workload

T

50

0.1

0.9

Idle Workload T

50

0.1

0.9

Office Workload T

2

0.1

0.9

Internet Workload N

2

0.1

0.9

Idle Workload N

2

0.1

0.9

Office Workload N