Server-side detection of malware infection

We review the intertwined problems of malware and online fraud, and argue that the fact that service providers often are financially responsible for fraud causes a relative lack of incentives for clients to manage their own security well. This suggests the need for a server-side tool to determine the security posture of clients before letting them transact. We introduce an exceedingly lightweight audit mechanism to address this need -- permitting for post-mortem infection analysis -- and prove its security properties based on standard cryptographic hardness assumptions. We describe a deployment architecture that aligns the incentives of participants in order to facilitate quick adoption and widespread use of the technology. Our approach is flexible enough to protect even low-end computing devices like mobile handsets, which future malware will target heavily, but whose power and bandwidth limitations mean poor effectiveness for traditional anti-virus paradigms. A contribution of independent potential value is the enabling of a centralized analysis of malware-related events. We describe how a centralized view of this type of information enables anomaly-based detection approaches that are not possible in a distributed setting. This approach enables a light-weight early-warning system and is helpful in creating application whitelists.

Citation

Jakobsson, M.; Juels, A. Server-side detection of malware infection. Proceedings of the New Security Paradigms Workshop (NSPW 09); 2009 September 8-11; Oxford, UK. New York: ACM; 2009; 11-22.