TROGUARD: Context-Aware Protection Against Web-Based Socially Engineered Trojans

Presentation pdf 3.4MB

Despite the increasing number of social engineering attacks through web browser applications, detection of socially engineered trojan downloads by enticed victim users remains a challenging endeavor. In this paper, we present TROGUARD, a semi-automated web-based trojan detection solution, that notifies the user if she downloads an application of a particular type different from what she believes is downloading.

TROGUARD builds on the hypothesis that in spite of millions of currently downloadable executables on the Internet, almost all of them provide functionalities from a limited set. Additionally, because each functionality, e.g., text editor, requires particular system resources, it leaves a specific, system-level activity pattern behind. During an offline process, TROGUARD creates a profile dictionary of various functionalities that is used afterwards to warn the user if she downloads an executable whose activity profile does not match its advertised functionality which is extracted through automated analysis of its source website. Our experimental results prove the above mentioned premise empirically and show that TROGUARD can identify real-world socially engineered trojan download attacks effectively.

Author(s):

Rui Han    
University of Miami
United States

Saman Zonouz    
Rutgers University
United States

Mihai Christodorescu    
Qualcomm Research
United States