research-article

The user is not the enemy: fighting malware by tracking user intentions

Authors:

Jeffrey Shirley,

David EvansAuthors Info & Claims

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

Pages 33 - 45

https://doi.org/10.1145/1595676.1595683

Published: 22 September 2008 Publication History

Abstract

Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to access control, focusing on single-user systems, in which the complete history of user and program actions can be used to improve the precision and expressiveness of access control policies. We describe mechanisms for securely capturing user actions, mapping those actions onto likely user intents, and a language for defining access control policies that incorporate user intentions. We implemented a prototype for capturing user intentions, and present results from experiments on malware mitigation using the prototype. Our results show that a very simple MAC policy can prevent a significant amount of system damage caused by malware while not interfering with most benign software.

References

[1]

Anne Adams, and Martina Angela Sasse. Users Are Not the Enemy. Communications of the ACM, December 1999: 40--46.

Digital Library

[2]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the Art of Virtualization. In Proc. Symposium on Operating System Principles. 2003.

Digital Library

[3]

D. Elliot Bell and Leonard J. LaPadula. Secure Computer Systems: Mathematical Foundations. Technical Report. The MITRE Corporation, 1973.

[4]

Kenneth J. Biba. Integrity Considerations for Secure Computer Systems. Technical Report. The MITRE Corporation, 1977.

[5]

Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, and Randal E. Bryant. Semantics-Aware Malware Detection. In Proc. IEEE Symposium on Security and Privacy. 2005.

Digital Library

[6]

David D. Clark and David D. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proc. IEEE Symposium on Security and Privacy. 1987.

[7]

Lorrie Cranor, and Simson Garfinkel. Security and Usability. O'Reilly, 2005.

Digital Library

[8]

Weidong Cui, Randy H. Katz, and Wai-tian Tan. BINDER: An Extrusion-based Break-In Detector for Personal Computers. In Proc. USENIX Security Symposium. 2005.

Digital Library

[9]

T. Daboczi, I. Kollar, G. Simon, and T. Megyeri. How to test graphical user interfaces. IEEE Instrumentation&Measurement Magazine, September 2003: 27--33.

[10]

Dorothy E. Denning. A Lattice Model of Secure Information Flow. Communications of the ACM, May 1976: 236--243.

Digital Library

[11]

Rachna Dhamija, J.D. Tygar, and Marti Hearst. Why Phishing Works. In Proc. ACM SIGCHI. 2006.

Digital Library

[12]

DoD Standard 5200.28-STD: Trusted Computer System Evaluation Criteria. United States Department of Defense, 1985.

[13]

David Ferraiolo, and Richard Kuhn. Role-based Access Control. In Proc. National Computer Security Conference. 1992.

[14]

Carrie Gates and Carol Taylor. Challenging the Anomaly Detection Paradigm: A Provocative Discussion. In Proc. New Security Paradigms Workshop. 2006.

Digital Library

[15]

Joseph Halpern, and Vicky Weissman. Using first-order logic to reason about policies. In Computer Security Foundations Workshop. 2003.

[16]

Steven B. Hirsch. Secure Keyboard Input Terminal. U.S. Patent 4,333,090. 1980.

[17]

Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, 1998: 151--180.

Digital Library

[18]

Galen Hunt and Doug Brubacher. Detours: Binary Interception of Win32 Functions. In Proc.USENIX Windows NT Symposium. 1999.

Digital Library

[19]

Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer. Behavior-based Spyware Detection. In Proc. USENIX Security Symposium. 2006.

Digital Library

[20]

Christopher Kruegel, William Robertson, and Giovanni Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In Proc. Annual Computer Security Applications Conference. 2004.

Digital Library

[21]

Henry M. Levy. Capability-based Computer Systems. Digital Press, 1984.

Digital Library

[22]

Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, and Ruth C. Taylor. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computer Systems. In Proc. National Information Systems Security Conference. 1998.

[23]

Microsoft Corporation. Microsoft Virtual PC. 2007. http://www.microsoft.com/windowsxp/virtualpc/

[24]

Microsoft Corporation. Windows Vista: User Account Control. 2006.

[25]

National Security Administration. Security-Enhanced Linux. 2007. http://www.nsa.gov/selinux/.

[26]

Donald A. Norman. The Design of Everyday Things. Doubleday, 1988.

[27]

Novell Corporation. AppArmor. http://www.novell.com/linux/security/apparmor/.

[28]

OASIS. eXtensible Access Control Markup Language (XACML) version 2.0. 2006.

[29]

Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proc. USENIX Security Symposium. 1998.

Digital Library

[30]

C. Powers and M. Schunter. Enterprise Privacy Authorization Language (EPAL 1.2). W3C Member Submission, 2003.

[31]

Sysinternals. Rootkit Revealer. 2006. http://www.sysinternals.com/Utilities/RootkitRevealer.

[32]

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. The FLASK Security Architecture: System Support for Diverse Security Policies. In Proc. USENIX Security Symposium. 1999.

Digital Library

[33]

Marc Stiegler, Alan H. Karp, Ka-Ping Yee, and Mark Miller. Polaris: Virus-safe Computing. Technical Report. Hewlett-Packard, 2004.

[34]

Sun Microsystems. HotJava: The Security Story. 1995.

[35]

Sun Microsystems. Java Security Overview. 2007. http://java.sun.com/javase/6/docs/technotes/guides.

[36]

Symantec Corporation. Symantec Norton Antivirus. 2006. http://www.symantec.com.

[37]

The Snort Project. Snort, The Open Source Network Intrusion Detection System. 2006. http://www.snort.org/.

[38]

The Tripwire Project. Tripwire host-based IDS. 2007. http://sourceforge.net/projects/tripwire/.

[39]

Michael C. Tschantz and Shriram Krishnamurthi. Towards Reasonability Properties for Access Control Policy Languages. In Proc. ACM SACMAT. 2006.

Digital Library

[40]

J.D. Tygar and Alma Whitten. Why Johnny Can't Encrypt. In Proc. USENIX Security Symposium. 1999.

[41]

VMWare Corporation. VMWare. 2007. http://www.vmware.com.

[42]

VMWare Corporation. Virtual Machine Communication Interface. 2007. http://pubs.vmware.com/vmci-sdk/VMCI_intro.html.

[43]

David Wagner and Paulo Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proc. ACM Conference on Computer and Communications Security. 2002.

Digital Library

[44]

David R. Wooten. Securing the User Input Path On NGSCB Systems. In Microsoft WinHEC. 2004. http://download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2893da6f2295b40c8/TW04055_WINHEC2004.ppt.

[45]

Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. USENIX Security Symposium. 2006.

Digital Library

[46]

Ka-Ping Yee. Aligning Security and Usability. IEEE Security and Privacy Magazine, September 2004: 48--55.

Digital Library

[47]

Doug Beck, Binh Vo, and Chad Verbowski. Detecting Stealth Software with Strider GhostBuster. In Proc. Int. Conf. on Dependable Systems and Networks. 2005.

Digital Library

Cited By

McIntosh TKayes AChen YNg AWatters P(2021)Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future DirectionsACM Computing Surveys10.1145/347939354:9(1-36)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3479393
Chuluundorj ZTaylor CWalls RShue C(2021)Can the User Help? Leveraging User Actions for Network Profiling2021 Eighth International Conference on Software Defined Systems (SDS)10.1109/SDS54264.2021.9732164(1-8)Online publication date: 6-Dec-2021
https://doi.org/10.1109/SDS54264.2021.9732164
Déneckère RKornyshova EHug C(2021)A Framework for Comparative Analysis of Intention Mining ApproachesResearch Challenges in Information Science10.1007/978-3-030-75018-3_2(20-37)Online publication date: 8-May-2021
https://doi.org/10.1007/978-3-030-75018-3_2
Show More Cited By

Index Terms

The user is not the enemy: fighting malware by tracking user intentions
1. Security and privacy

Recommendations

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Modern client platforms, such as iOS, Android, Windows Phone, Windows 8, and web browsers, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications ...
A Category-Based Model for ABAC
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

In Attribute-Based Access Control (ABAC) systems, access to resources is controlled by evaluating rules against the attributes of the user and the object involved in the access request, as well as the values of the relevant attributes from the ...
The Next 700 Policy Miners: A Universal Method for Building Policy Miners
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

A myriad of access control policy languages have been and continue to be proposed. The design of policy miners for each such language is a challenging task that has required specialized machine learning and combinatorial algorithms. We present an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

NSPW '08: Proceedings of the 2008 New Security Paradigms Workshop

August 2009

144 pages

ISBN:9781605583419

DOI:10.1145/1595676

General Chairs:
Matt Bishop
University of California, Davis, USA
,
Christian W. Probst
Technical University of Denmark, Denmark
,
Program Chairs:
Angelos Keromytis
Columbia University, USA
,
Anil Somayaji
Carleton University, Canada

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 September 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NSPW '08

Sponsor:

ACM

NSPW '08: 2008 New Security Paradigms Workshop

September 22 - 25, 2008

California, Lake Tahoe, USA

Acceptance Rates

Overall Acceptance Rate 62 of 170 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
536
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

McIntosh TKayes AChen YNg AWatters P(2021)Ransomware Mitigation in the Modern Era: A Comprehensive Review, Research Challenges, and Future DirectionsACM Computing Surveys10.1145/347939354:9(1-36)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3479393
Chuluundorj ZTaylor CWalls RShue C(2021)Can the User Help? Leveraging User Actions for Network Profiling2021 Eighth International Conference on Software Defined Systems (SDS)10.1109/SDS54264.2021.9732164(1-8)Online publication date: 6-Dec-2021
https://doi.org/10.1109/SDS54264.2021.9732164
Déneckère RKornyshova EHug C(2021)A Framework for Comparative Analysis of Intention Mining ApproachesResearch Challenges in Information Science10.1007/978-3-030-75018-3_2(20-37)Online publication date: 8-May-2021
https://doi.org/10.1007/978-3-030-75018-3_2
Alomari RVargas Martin MMacDonald SBellman C(2019)Using EEG to Predict and Analyze Password Memorability2019 IEEE International Conference on Cognitive Computing (ICCC)10.1109/ICCC.2019.00019(42-49)Online publication date: Jul-2019
https://doi.org/10.1109/ICCC.2019.00019
Jiao JLiu QChen XCao H(2018)Behavior Intention Derivation of Android Malware Using Ontology InferenceJournal of Electrical and Computer Engineering10.1155/2018/92502972018Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1155/2018/9250297
Jamrozik Kvon Styp-Rekowsky PZeller ADillon LVisser WWilliams L(2016)Mining sandboxesProceedings of the 38th International Conference on Software Engineering10.1145/2884781.2884782(37-48)Online publication date: 14-May-2016
https://dl.acm.org/doi/10.1145/2884781.2884782
Vaidya TSherr M(2015)Mind Your $$R, \varPhi $$sRevised Selected Papers of the 23rd International Workshop on Security Protocols XXIII - Volume 937910.1007/978-3-319-26096-9_9(80-90)Online publication date: 31-Mar-2015
https://dl.acm.org/doi/10.1007/978-3-319-26096-9_9
Roesner FKohno TMoshchuk AParno BWang HCowan C(2012)User-Driven Access ControlProceedings of the 2012 IEEE Symposium on Security and Privacy10.1109/SP.2012.24(224-238)Online publication date: 20-May-2012
https://dl.acm.org/doi/10.1109/SP.2012.24
Kui Xu Yao DQiang Ma Crowell A(2011)Detecting infection onset with behavior-based policies2011 5th International Conference on Network and System Security10.1109/ICNSS.2011.6059960(57-64)Online publication date: Sep-2011
https://doi.org/10.1109/ICNSS.2011.6059960
Luo LHe HDuan ZWang YFang ZZhang W(2011)An Automatically Capture Method of User’s IntentionComputer Science for Environmental Engineering and EcoInformatics10.1007/978-3-642-22694-6_52(371-377)Online publication date: 2011
https://doi.org/10.1007/978-3-642-22694-6_52
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents