TROGUARD: Context-aware protection against web-based socially engineered trojans

Despite the increasing number of social engineering attacks through web browser applications, detection of socially engineered trojan downloads by enticed victim users remains a challenging endeavor. In this paper, we present TROGUARD, a semi-automated web-based trojan detection solution, that notifies the user if the application she downloaded behaves differently than what she expected at download time. TROGUARD builds on the hypothesis that in spite of millions of currently downloadable executables on the Internet, almost all of them provide functionalities from a limited set. Additionally, because each functionality, e.g., text editor, requires particular system resources, it exhibits a unique system-level activity pattern. During an offline process, TROGUARD creates a profile dictionary of various functionalities. This profile dictionary is then used to warn the user if she downloads an executable whose observed activity does not match its advertised functionality (extracted through automated analysis of the download website). Our experimental results prove the above mentioned premise empirically and show that TROGUARD can identify real-world socially engineered trojan download attacks effectively.