Skip to Main content Skip to Navigation
Conference papers

Keylogger Detection Using a Decoy Keyboard

Abstract : Commercial anti-malware systems currently rely on signatures or patterns learned from samples of known malware, and are unable to detect zero-day malware, rendering computers unprotected. In this paper we present a novel kernel-level technique of detecting keyloggers. Our approach operates through the use of a decoy keyboard. It uses a low-level driver to emulate and expose keystrokes modeled after actual users. We developed a statistical model of the typing profiles of real users, which regulates the times of delivery of emulated keystrokes. A kernel filter driver enables the decoy keyboard to shadow the physical keyboard, such as one single keyboard appears on the device tree at all times. That keyboard is the physical keyboard when the actual user types on it, and the decoy keyboard during time windows of user inactivity. Malware are detected in a second order fashion when data leaked by the decoy keyboard are used to access resources on the compromised machine. We tested our approach against live malware samples that we obtained from public repositories, and report the findings in the paper. The decoy keyboard is able to detect 0-day malware, and can co-exist with a real keyboard on a computer in production without causing any disruptions to the user’s work.
Document type :
Conference papers
Complete list of metadata

Cited literature [42 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Monday, January 15, 2018 - 2:07:00 PM
Last modification on : Wednesday, June 20, 2018 - 11:46:01 AM
Long-term archiving on: : Monday, May 7, 2018 - 11:33:37 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Seth Simms, Margot Maxwell, Sara Johnson, Julian Rrushi. Keylogger Detection Using a Decoy Keyboard. 31th IFIP Annual Conference on Data and Applications Security and Privacy (DBSEC), Jul 2017, Philadelphia, PA, United States. pp.433-452, ⟨10.1007/978-3-319-61176-1_24⟩. ⟨hal-01684350⟩



Record views


Files downloads