A variety of malware has infiltrated and threatened our computing for
both personal and business. These malware includes worms, spyware, and
botnets. Among which, the major threat on today¿s Internet is spyware,
because it sends our private information across the net. There has
been a lot of research done on anti-spyware solutions, but most of
them rely on signature detection and suffer from zero-day attacks. To
compensate, researchers have developed some detection systems that
focus on abnormal behaviors rather than specific attacks. Even though
these systems are more effective in detecting uncovered threats, but
can still be evaded by clever attackers that tampered around with
normal traffic.
In this paper, we present an advanced and robust input-traffic
correlation framework that identifies abnormal traffic by semantically
examines user inputs and the contents of outbound network packets. In
particular, we first study outbound HTTP traffic in the browser
environment and test on both static and dynamic web pages. We then
identify several research challenges such as a single click
corresponds to more than one outbound HTTP requests and the diversity
and dynamic of web contents make analysis hard. Finally, we introduce
a parallel universe for handling dynamic web pages involving
JavaScript and AJAX, and evaluate our framework with real world malware.
