An online approach for kernel-level keylogger detection and defense

Keyloggers have been studied for many years, but they still pose a severe threat to information security. Keyloggers can record highly sensitive information, and then transfer it to remote attackers. Previous solutions suffer from limitations in that: (1) Most methods focus on user-level keylogger detection; (2) Some methods need to modify OS kernels; (3) Most methods can be bypassed when the OS kernel is compromised. In this paper, we present LAKEED, an online defense against the kernel-level keylogger by utilizing the hardware assisted virtualization technology. Our system is compatible with the commodity operating system, and it can protect the running OS transparently. The basic idea of our approach is to isolate the target kernel extension that may contain the keylogger from keyboard drivers’ execution environment and then monitor their potential interactions. By comparing the runtime information with the execution baseline that is obtained by the offline analysis, the keylogger can be identified. The evaluation shows that LAKEED can defeat kernel-level keyloggers effectively with low performance overhead.