NetSpy: Automatic generation of spyware signatures for NIDS

Hao Wang; Somesh Jha; Vinod Ganapathy

doi:10.1109/ACSAC.2006.34

NetSpy: Automatic generation of spyware signatures for NIDS

Hao Wang, Somesh Jha, Vinod Ganapathy

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

26 Scopus citations

Abstract

We present NetSpy, a tool to automatically generate network-level signatures for spyware. NetSpy determines whether an untrusted program is spyware by correlating user input with network traffic generated by the untrusted program. If classified as spyware, NetSpy also generates a signature characterizing the malicious substrate of the spyware 's network behavior. Such a signature can be used by network intrusion detection systems to detect spyware installations in large networks. In our experiments, NetSpy precisely identified each of the 1 spyware programs that we considered and generated network-level signatures for them. Of the 9 supposedlybenign programs that we considered, NetSpy correctly characterized 6 of them as benign. The remaining 3 programs showed network behavior that was highly suggestive of spying activity.

Original language	English (US)
Title of host publication	Proceedings - Annual Computer Security Applications Conference, ACSAC
Pages	99-108
Number of pages	10
DOIs	https://doi.org/10.1109/ACSAC.2006.34
State	Published - 2006
Externally published	Yes
Event	22nd Annual Computer Security Applications Conference, ACSAC 2006 - Miami Beach, FL, United States Duration: Dec 11 2006 → Dec 15 2006

Publication series

Name	Proceedings - Annual Computer Security Applications Conference, ACSAC
ISSN (Print)	1063-9527

Other

Other	22nd Annual Computer Security Applications Conference, ACSAC 2006
Country/Territory	United States
City	Miami Beach, FL
Period	12/11/06 → 12/15/06

All Science Journal Classification (ASJC) codes

Software
Engineering(all)

Access to Document

10.1109/ACSAC.2006.34

Cite this

@inproceedings{93a82ce2347e418aa13b3240e816e308,

title = "NetSpy: Automatic generation of spyware signatures for NIDS",

abstract = "We present NetSpy, a tool to automatically generate network-level signatures for spyware. NetSpy determines whether an untrusted program is spyware by correlating user input with network traffic generated by the untrusted program. If classified as spyware, NetSpy also generates a signature characterizing the malicious substrate of the spyware 's network behavior. Such a signature can be used by network intrusion detection systems to detect spyware installations in large networks. In our experiments, NetSpy precisely identified each of the 1 spyware programs that we considered and generated network-level signatures for them. Of the 9 supposedlybenign programs that we considered, NetSpy correctly characterized 6 of them as benign. The remaining 3 programs showed network behavior that was highly suggestive of spying activity.",

author = "Hao Wang and Somesh Jha and Vinod Ganapathy",

year = "2006",

doi = "10.1109/ACSAC.2006.34",

language = "English (US)",

isbn = "0769527167",

series = "Proceedings - Annual Computer Security Applications Conference, ACSAC",

pages = "99--108",

booktitle = "Proceedings - Annual Computer Security Applications Conference, ACSAC",

note = "22nd Annual Computer Security Applications Conference, ACSAC 2006 ; Conference date: 11-12-2006 Through 15-12-2006",

}

Wang, H, Jha, S & Ganapathy, V 2006, NetSpy: Automatic generation of spyware signatures for NIDS. in Proceedings - Annual Computer Security Applications Conference, ACSAC., 4041158, Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 99-108, 22nd Annual Computer Security Applications Conference, ACSAC 2006, Miami Beach, FL, United States, 12/11/06. https://doi.org/10.1109/ACSAC.2006.34

TY - GEN

T1 - NetSpy

T2 - 22nd Annual Computer Security Applications Conference, ACSAC 2006

AU - Wang, Hao

AU - Jha, Somesh

AU - Ganapathy, Vinod

PY - 2006

Y1 - 2006

N2 - We present NetSpy, a tool to automatically generate network-level signatures for spyware. NetSpy determines whether an untrusted program is spyware by correlating user input with network traffic generated by the untrusted program. If classified as spyware, NetSpy also generates a signature characterizing the malicious substrate of the spyware 's network behavior. Such a signature can be used by network intrusion detection systems to detect spyware installations in large networks. In our experiments, NetSpy precisely identified each of the 1 spyware programs that we considered and generated network-level signatures for them. Of the 9 supposedlybenign programs that we considered, NetSpy correctly characterized 6 of them as benign. The remaining 3 programs showed network behavior that was highly suggestive of spying activity.

AB - We present NetSpy, a tool to automatically generate network-level signatures for spyware. NetSpy determines whether an untrusted program is spyware by correlating user input with network traffic generated by the untrusted program. If classified as spyware, NetSpy also generates a signature characterizing the malicious substrate of the spyware 's network behavior. Such a signature can be used by network intrusion detection systems to detect spyware installations in large networks. In our experiments, NetSpy precisely identified each of the 1 spyware programs that we considered and generated network-level signatures for them. Of the 9 supposedlybenign programs that we considered, NetSpy correctly characterized 6 of them as benign. The remaining 3 programs showed network behavior that was highly suggestive of spying activity.

UR - http://www.scopus.com/inward/record.url?scp=39049147640&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=39049147640&partnerID=8YFLogxK

U2 - 10.1109/ACSAC.2006.34

DO - 10.1109/ACSAC.2006.34

M3 - Conference contribution

AN - SCOPUS:39049147640

SN - 0769527167

SN - 9780769527161

T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC

SP - 99

EP - 108

BT - Proceedings - Annual Computer Security Applications Conference, ACSAC

Y2 - 11 December 2006 through 15 December 2006

ER -

NetSpy: Automatic generation of spyware signatures for NIDS

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this