Server-side detection of malware infection

Abstract

We review the intertwined problems of malware and online fraud, and argue that the fact that service providers often are financially responsible for fraud causes a relative lack of incentives for clients to manage their own security well. This suggests the need for a server-side tool to determine the security posture of clients before letting them transact. We introduce an exceedingly lightweight audit mechanism to address this need — permitting for post-mortem infection analysis — and prove its security properties based on standard cryptographic hardness assumptions. We describe a deployment architecture that aligns the incentives of participants in order to facilitate quick adoption and widespread use of the technology. Our approach is flexible enough to protect even low-end computing devices like mobile handsets, which future malware will target heavily, but whose power and bandwidth limitations mean poor effectiveness for traditional anti-virus paradigms. A contribution of independent potential value is the enabling of a centralized analysis of malware-related events. We describe how a centralized view of this type of information enables anomaly-based detection approaches that are not possible in a distributed setting. This approach enables a light-weight early-warning system and is helpful in creating application whitelists.