Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications

Abstract

Traditional security systems have largely focused on attack detection. Unfortunately, accurately identifying the latest attack has proven to be a never-ending cycle. In this paper, we propose a way to break this cycle by ensuring that a system’s behavior matches the user’s intent. Since our approach is attack agnostic, it will scale better than traditional security systems.There are two key components to our approach. First, we capture the user’s intent through their interactions with an application. Second, we verify that the resulting system output can be mapped back to the user’s interactions.

To demonstrate how this works we created Gyrus, a research prototype that observes user interactions for common tasks such as sending email, instant messaging, online social networking, and online financial services. Gyrus secures these applications from malicious behavior such as spam and wire fraud by allowing only outgoing traffic with content that matches the user’s intent.

To understand how Gyrus captures user intent, consider the case of a textbased application. In this case the user’s input is displayed on the screen so the user can confirm that their input is correct. Gyrus builds on this concept by focusing on what is being displayed to the user instead of what the user has typed or clicked. We call this the “what you see is what you send (WYSIWYS)” policy.

We implemented Gyrus under a standard virtualization environment, and our prototype system successfully stops malware from sending unintended content over the network. Our evaluation shows that Gyrus is very efficient and introduces no noticeable delay to a users’ interaction with the protected applications.

Publication
Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS)