Abstract
Among the various types of spyware, screenloggers are distinguished by their ability to capture screenshots. This gives them considerable nuisance capacity, giving rise to theft of sensitive data or, failing that, to serious invasions of the privacy of users. Several examples of attacks relying on this screen capture feature have been documented in recent years. Moreover, on desktop environments, taking screenshots is a legitimate functionality used by many benign applications, which makes screenlogging activities particularly stealthy. However, existing malware detection approaches are not adapted to screenlogger detection due to the composition of their datasets and the way samples are executed. In this paper, we propose the first dynamic detection approach based on a dataset of screenloggers and legitimate screenshot-taking applications (built in a previous work), with a particular care given to the screenshot functionality during samples execution. We also propose a tailored detection approach based on novel features specific to screenloggers. This last approach yields better results than an approach using traditional API call and network features trained on the same dataset (minimum increase of 3.108% in accuracy).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Albert, B.: Weka 3: Machine learning software in Java. https://www.cs.waikato.ac.nz/ml/weka/
Argus, O.: Argus. https://openargus.org
Bahtiyar, S.: Anatomy of targeted attacks with smart malware. Secur. Commun. Netw. 9 (2017). https://doi.org/10.1002/sec.1767
Beigi, E., Jazi, H., Stakhanova, N., Ghorbani, A.: Towards effective feature selection in machine learning-based botnet detection approaches. In: 2014 IEEE Conference on Communications and Network Security, CNS 2014, pp. 247–255, December 2014. https://doi.org/10.1109/CNS.2014.6997492
Bogdan, B.: Six years and counting: inside the complex Zacinlo ad fraud operation, bitdefender. https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/
Boukhtouta, A., Mokhov, S., Lakhdari, N.E., Debbabi, M., Paquet, J.: Network malware classification comparison using DPI and flow packet headers. J. Comput. Virol. Hacking Tech. 11, 1–32 (2015). https://doi.org/10.1007/s11416-015-0247-x
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001). https://doi.org/10.1023/A:1010933404324
Charline, Z.: Viruses and malware: research strikes back. https://news.cnrs.fr/articles/viruses-and-malware-research-strikes-back
The New Jersey Cybersecurity and Communications Integration Cell: Zbot/zeus. https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/zbot-zues
Sanger, D.E., Perlroth, N.: Bank hackers steal millions via malware. https://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html
Ecular, X., Grey, G.: Cyberespionage campaign sphinx goes mobile with anubisspy. https://www.trendmicro.com/enus/research/17/l/cyberespionage-campaign-sphinx-goes-mobile-anubisspy.html
Han, W., Xue, J., Wang, Y., Huang, L., Kong, Z., Mao, L.: MalDAE: detecting and explaining malware based on correlation and fusion of static and dynamic characteristics. Comput. Secur. 83, 208–233 (2019). https://doi.org/10.1016/j.cose.2019.02.007
Han, W., Xue, J., Wang, Y., Liu, Z., Kong, Z.: Malinsight: a systematic profiling based malware detection framework. J. Netw. Comput. Appl. 125, 236–250 (2018). https://doi.org/10.1016/j.jnca.2018.10.022
Jason, B.: Recursive feature elimination (RFE) for feature selection in Python. https://machinelearningmastery.com/rfe-feature-selection-in-python/
Javaheri, D., Hosseinzadeh, M., Rahmani, A.: Detection and elimination of spyware and ransomware by intercepting kernel-level system routines. IEEE Access 6, 78321–78332 (2018). https://doi.org/10.1109/ACCESS.2018.2884964
Josh, G., Brandon, L., Kyle, W., Pat, L.: SquirtDanger: the swiss army knife malware from veteran malware author thebottle. https://unit42.paloaltonetworks.com/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/
Stratosphere Labs: The CTU-13 dataset. A labeled dataset with botnet, normal and background traffic. https://www.stratosphereips.org/datasets-ctu13
Lashkari, A.H., Kadir, A.F.A., Gonzalez, H., Mbah, K.F., Ghorbani, A.A.: Towards a network-based framework for Android malware detection and characterization. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), p. 233-23309 (2017). https://doi.org/10.1109/PST.2017.00035
Lukas, S.: New telegram-abusing android rat discovered in the wild, welivesecurity by eset. https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/
Mikey, C.: Xagent malware arrives on Mac, steals passwords, screenshots, iPhone backups. https://appleinsider.com/articles/17/02/14/xagent-malware-arrives-on-mac-steals-passwords-screenshots-iphone-backups
Mitre: Screen capture. https://attack.mitre.org/techniques/T1113/
Mohaisen, D., Alrawi, O., Mohaisen, M.: AMAL: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015). https://doi.org/10.1016/j.cose.2015.04.001
Nari, S., Ghorbani, A.: Automated malware classification based on network behavior, pp. 642–647, January 2013. https://doi.org/10.1109/ICCNC.2013.6504162
Pan, E., Ren, J., Lindorfer, M., Wilson, C., Choffnes, D.: Panoptispy: characterizing audio and video exfiltration from android applications. Proc. Priv. Enhanc. Technol. 2018, 33–50 (2018). https://doi.org/10.1515/popets-2018-0030
Kaspersky Lab’s Global Research and Analysis Team: The great bank robbery: Carbanak cybergang steals \(\$\)1bn from 100 financial institutions worldwide. https://www.kaspersky.com/about/press-releases/2015-the-great-bank-robbery-carbanak-cybergang-steals-1bn-from-100-financial-institutions-worldwide
Symantec Security Response: Regin: top-tier espionage tool enables stealthy surveillance. https://www.databreaches.net/regin-top-tier-espionage-tool-enables-stealthy-surveillance/
Sbaï, H., Happa, J., Goldsmith, M., Meftali, S.: Dataset construction and analysis of screenshot malware. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 646–655 (2020). https://doi.org/10.1109/TrustCom50675.2020.00091
Shahzad, R., Haider, S., Lavesson, N.: Detection of spyware by mining executable files, pp. 295–302, February 2010. https://doi.org/10.1109/ARES.2010.105
Shijo, P., Salim, A.: Integrated static and dynamic analysis for malware detection. Procedia Comput. Sci. 46, 804–811 (2015). https://doi.org/10.1016/j.procs.2015.02.149
Stefan, O.: The missing piece - sophisticated OS X backdoor discovered, securelist by Kaspersky lab. https://securelist.com/the-missing-piece-sophisticated-os-x-backdoor-discovered/75990/
You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010). https://doi.org/10.1109/BWCCA.2010.85
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Sbai, H., Happa, J., Goldsmith, M. (2021). A Novel Behavioural Screenlogger Detection System. In: Liu, J.K., Katsikas, S., Meng, W., Susilo, W., Intan, R. (eds) Information Security. ISC 2021. Lecture Notes in Computer Science(), vol 13118. Springer, Cham. https://doi.org/10.1007/978-3-030-91356-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-91356-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91355-7
Online ISBN: 978-3-030-91356-4
eBook Packages: Computer ScienceComputer Science (R0)