This project is building a foundation for understanding spyware, and is advancing the state of the art in detecting and preventing spyware infections. Our research consists of four broad activities:
Measurement: Using a combination of passive network monitoring and active Web crawling, we are gathering quantitative evidence about the nature of spyware and its lifecycle. Early detection: We are exploring schemes to detect new spyware threats before they have had the opportunity to cause widespread infection. For example, we are developing techniques for examining software found while Web crawling to automatically identify "spyware-like" behavior, or to statically analyze software to look for code fragments in common with previously detected spyware. Prevention: To prevent spyware from reaching a computer, we are augmenting firewall and proxy systems to detect and block spyware before it reaches its victims. As well, to prevent new code from gaining a foothold on a PC, we are exploring ways of "locking down" what code is permitted to execute. Infrastructure development: To conduct our research, we are developing new spyware testing infrastructure and workload repositories; our virtual "spyware laboratory" uses clusters and virtual machine monitors to enable high-throughput, scalable sandboxing and observation of malicious code. As well, we are amassing a large collection of known spyware programs to enable additional analysis.
CT-T: The Detection and Prevention of Spyware