skip to main content


Title: User Profiling Attack Using Windows Registry Data
The Windows registry stores a glut of information containing settings and data utilized by the Microsoft operating system (OS) and other applications. For example, information such as user credentials, installed programs, recently used applications and documents, accessed resources such as local, remote, and removable devices can all be found in this database. More revealingly, the registry also has time and date stamps that can help build a timeline of user activities. The Windows registry can be easily queried by either malicious or benign applications. This is possible through the Windows Application Program Interface (API) and other OS built-in utilities. In this paper, we develop and demonstrate a program able to collect and infer a user’s rich activities by accessing the Windows registry alone. This information, also referred to as the user’s digital footprint, can be used to devise an exploit or create a privacy threat. Our custom developed application will demonstrate how a user’s digital footprint can be acquired by a malicious application from a Windows registry, without alerting security software. In addition, this information can be exported to a set of comma delimited files, making it easy to import them into other analysis applications.  more » « less
Award ID(s):
1915780 2325452
NSF-PAR ID:
10487295
Author(s) / Creator(s):
; ;
Publisher / Repository:
IEEE
Date Published:
Journal Name:
2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)
ISBN:
979-8-3503-0413-8
Page Range / eLocation ID:
171 to 181
Format(s):
Medium: X
Location:
New York, NY, USA
Sponsoring Org:
National Science Foundation
More Like this
  1. With the increase in popularity of operating systems like macOS and Chrome OS, creating non-mobile applications that run cross-platform is becoming a challenge for developers all over the world [1]. It is costly to create non-Windows versions of applications since the Operating Systems (OS) differ in architecture and implementation. Many creators from various organizations choose different routes for increasing application compatibility but are not always willing to pay the overhead of developing the same application on another platform. As a result, consumers are stuck with not being able to use the software they need and end up resorting to workarounds ranging from running virtual machines to parallel booting the operating system. Wine is a compatibility layer capable of running Windows applications on several POSIX-compliant operating systems, such as Linux, macOS, & BSD free of cost [2]. It is an excellent way to run Windows applications on macOS and other Linux machines without installing a resource intensive virtual machine or restarting the machine to dual boot. Wine has been in active use since 1993. Since then, it has been adopted by many large companies and integrated into their products, including Borland, Google, IBM and Oracle [3]. This paper describes how a National Science Foundation (NSF) funded project experienced a need to be able to run a Windows-only program on Macs or Chromebooks and explains how Wine may be used to overcome a similar OS-limiting challenge. 
    more » « less
  2. Software Keyloggers are dominant class of malicious applications that surreptitiously logs all the user activity to gather confidential information. Among many other types of keyloggers, API-based keyloggers can pretend as unprivileged program running in a user-space to eavesdrop and record all the keystrokes typed by the user. In a Linux environment, defending against these types of malware means defending the kernel against being compromised and it is still an open and difficult problem. Considering how recent trend of edge computing extends cloud computing and the Internet of Things (IoT) to the edge of the network, a new types of intrusiondetection system (IDS) has been used to mitigate cybersecurity threats in edge computing. Proposed work aims to provide secure environment by constantly checking virtual machines for the presence of keyloggers using cutting edge artificial immune system (AIS) based technology. The algorithms that exist in the field of AIS exploit the immune system’s characteristics of learning and memory to solve diverse problems. We further present our approach by employing an architecture where host OS and a virtual machine (VM) layer actively collaborate to guarantee kernel integrity. This collaborative approach allows us to introspect VM by tracking events (interrupts, system calls, memory writes, network activities, etc.) and to detect anomalies by employing negative selection algorithm (NSA). 
    more » « less
  3. null (Ed.)
    As organizations drastically expand their usage of collaborative systems and multi-user applications during this period of mass remote work, it is crucial to understand and manage the risks that such platforms may introduce. Improperly or carelessly deployed and configured systems hide security threats that can impact not only a single organization, but the whole economy. Cloud-based architecture is used in many collaborative systems, such as audio/video conferencing, collaborative document sharing/editing, distance learning and others. Therefore, it is important to understand that safety risk can be triggered by attacks on remote servers and confidential information might be compromised. In this paper, we present an AI powered application that aims to constantly introspect multiple virtual servers in order to detect malicious activities based on their anomalous behavior. Once the suspicious process(es) detected, the application in real-time notifies system administrator about the potential threat. Developed software is able to detect user space based keyloggers, rootkits, process hiding and other intrusion artifacts via agent-less operation, by operating directly from the host machine. Remote memory introspection means no software to install, no notice to malware to evacuate or destroy data. Conducted experiments on more than twenty different types of malicious applications provide evidence of high detection accuracy 
    more » « less
  4. null (Ed.)
    Android is the most targeted mobile OS. Studies have found that repackaging is one of the most common techniques that adversaries use to distribute malware, and detecting such malware can be difficult because they share large parts of the code with benign apps. Other studies have highlighted the privacy implications of zero-permission sensors. In this work, we investigate if repackaged malicious apps utilize more sensors than the benign counterpart for malicious purposes. We analyzed 15,297 app pairs for sensor usage. We provide evidence that zero-permission sensors are indeed used by malicious apps to perform various activities. We use this information to train a robust classifier to detect repackaged malware in the wild. 
    more » « less
  5. Technological advancement has made possible the collection of data from social media platforms at unprecedented speed and volume. Current methods for analyzing such data lack interpretability, are computationally intensive, or require a rigid data specification. Functional data analysis enables the development of a flexible, yet interpretable, modeling framework to extract lower-dimensional relevant features of a user’s posting behavior on social media, based on their posting activity over time. The extracted features can then be used to discriminate a malicious user from a genuine one. The proposed methodology can classify a binary time series in a computationally efficient manner and provides more insights into the posting behavior of social media agents. Performance of the method is illustrated numerically in simulation studies and on a motivating Twitter data set. The developed methods are applicable to other social media data, such as Facebook, Instagram, Reddit, or TikTok, or any form of digital interaction where the user’s posting behavior is indicative of their user class. 
    more » « less