Detecting infection onset with behavior-based policies

A major vector of computer infection is through exploiting vulnerable software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim´s machine without the user´s permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare (standing for Detection of Malware) for detecting the onset of infection delivered through vulnerable applications. DeWare enforces the dependencies between user actions and system events, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Our solution demonstrates a usable host-based framework for controlling and enforcing the access of system resources. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), 84 malicious websites in the wild, as well as lab reproduced exploits. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (<; 1%).