ABSTRACT
Drive-by download attacks where web browsers are subverted by malicious content delivered by web servers have become a common attack vector in recent years. Several methods for the detection of malicious content on web pages using data mining techniques to classify web pages as malicious or benign have been proposed in the literature. However, each proposed method uses different content features in order to do the classification and there is a lack of a high-level frameworks for comparing these methods based upon their choice of detection features. The lack of a framework makes it problematic to develop experiments to compare the effectiveness of methods based upon different selections of features. This paper presents such a framework derived from an analysis of of drive-by download attacks that focus upon potential state changes seen when Internet browsers render HTML documents. This framework can be used to identify potential features that have not yet been exploited and to reason about the challenges for using those features in detection drive-by download attack.
- Abu-Nimeh, S., Nappa, D., Wang, X., Nair, S., Adam, A. N. & Meledath, D. (2008), Security in web 2.0 application development, in 'Proceedings of the 10th International Conference on Information Integration and Web-based Applications & Services', ACM, Linz, Austria. Google ScholarDigital Library
- Alme, C. (2008), Web browsers: An emerging platform under attack, Technical report, MCAfee.Google Scholar
- Barth, A., Jackson, C. & Mitchell, J. (2009), 'Securing frame communication in browsers', Commun. ACM 52(6), 83--91. Google ScholarDigital Library
- Bin, L., Jianjun, H., Fang, L., Dawei, W., Daxiang, D. & Zhaohui, L. (2009), Malicious web pages detection based on abnormal visibility recognition, in 'E-Business and Information System Security, 2009. EBISS '09. International Conference on', pp. 1--5.Google Scholar
- Canali, D., Cova, M., Vigna, G. & Kruegel, C. (n.d.), Prophiler: a fast filter for the large-scale detection of malicious web pages, in 'Proceedings of the 20th international conference on World wide web', ACM, Hyderabad, India. Google ScholarDigital Library
- Choi, Y., Kim, T., Choi, S. & Lee, C. (2009), Automatic detection for javascript obfuscation attacks in web pages through string pattern analysis, in Y.-h. Lee, T.-h. Kim, W.-c. Fang & D. Slezak, eds, 'Future Generation Information Technology', Vol. 5899 of Lecture Notes in Computer Science, Springer Berlin/Heidelberg, pp. 160--172. 10.1007. Google ScholarDigital Library
- Chuan, Y. & Haining, W. (2009), Characterizing insecure javascript practices on the web, in 'Proceedings of the 18th international conference on World wide web', ACM, Madrid, Spain. Google ScholarDigital Library
- Cova, M., Kruegel, C. & Vigna, G. (2010), Detection and analysis of drive-by-download attacks and malicious javascript code, in 'WWW2010', Raleigh NC, USA. Google ScholarDigital Library
- Egele, M., Wurzinger, P., Kruegel, C. & Kirda, E. (2009), Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks, in 'Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment', DIMVA '09, Springer-Verlag, Berlin, Heidelberg, pp. 88--106. Google ScholarDigital Library
- Garrett, B., Travis, H., Micheal, I., Atul, P. & Kevin, B. (2008), Social networks and context-aware spam, in 'Proceedings of the ACM 2008 conference on Computer supported cooperative work', ACM, San Diego, CA, USA. Google ScholarDigital Library
- Gollmann, D. (2008), 'Securing web applications', Information Security Technical Report 13(1), 1--9. Google ScholarDigital Library
- Gyongyi, Z. & Garcia-Molina, H. (2004), Web spam taxonomy, Technical report, Stanford University, California.Google Scholar
- Hou, Y.-T., Chang, Y., Chen, T., Laih, C.-S. & Chen, C.-M. (2009), 'Malicious web content detection by machine learning', Expert Systems with Applications In Press, Corrected Proof. Google ScholarDigital Library
- Jianwei, Z., Yonglin, Z., Jinpeng, G., Minghua, W., Xulu, J., Weimin, S. & Yuejin, D. (2007), Malicious websites on the chinese web: overview and case study, Technical report, Peking University, Beijing.Google Scholar
- Johns, M. (2008), 'On javascript malware and related threats', Journal in Computer Virology 4(3), 161--178.Google ScholarCross Ref
- Kapravelos, A., Cova, M., Kruegel, C. & Vigna, G. (2011), Escape from monkey island: Evading high-interaction honeyclients, in T. Holz & H. Bos, eds, 'Detection of Intrusions and Malware, and Vulnerability Assessment', Vol. 6739 of Lecture Notes in Computer Science, Springer Berlin/Heidelberg, pp. 124--143. 10.1007/978-3-642-22424-9 8. Google ScholarDigital Library
- Keats, S. & Koshy, E. (2009), The web's most dangerous search term, Technical report, McAfee.Google Scholar
- Le, V. L., Welch, I., Gao, X. & Komisarczuk, P. (2012), A novel scoring model to detect potential malicious web pages, in 'The 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications', Liverpool, UK. Google ScholarDigital Library
- Ma, J., Saul, L. K., Savage, S. & Voelker, G. M. (2009a), Beyond blacklists: learning to detect malicious web sites from suspicious urls, in 'Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining', ACM, Paris, France. Google ScholarDigital Library
- Ma, J., Saul, L. K., Savage, S. & Voelker, G. M. (2009b), Identifying suspicious urls: an application of large-scale online learning, in 'Proceedings of the 26th Annual International Conference on Machine Learning', ACM, Montreal, Quebec, Canada. Google ScholarDigital Library
- Ma, J., Saul, L. K., Savage, S. & Voelker, G. M. (2011), 'Learning to detect malicious urls', ACM Trans. Intell. Syst. Technol. 2(3), 30:1--30:24. Google ScholarDigital Library
- Mehdi, J. (2007), Some trends in web application development, in '2007 Future of Software Engineering', IEEE Computer Society. Google ScholarDigital Library
- Microsoft (2009), Microsoft security intelligence report, Technical report, Microsoft.Google Scholar
- MITRE (2009), 'Honeyclient project'. Available from http://www.honeyclient.org/trac; accessed on 19 November 2009.Google Scholar
- Narvaez, J., Seifert, C., Endicott-Popovsky, B., Welch, I. & Komisarczuk, P. (2008), Drive-by-download, Technical report, Victoria University of Wellington, Wellington.Google Scholar
- Nazario, J. (2009), Phoneyc: a virtual client honeypot, in 'Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more', USENIX Association, Boston, MA. Google ScholarDigital Library
- Niels, P., Moheeb Abu, R. & Panayiotis, M. (2009), 'Cybercrime 2.0: When the cloud turns dark', Queue 7(2), 46--47. Google ScholarDigital Library
- Polychronakis, M., Mavrommatis, P. & Provos, N. (2008), Ghost turns zombie: exploring the life cycle of web-based malware, in 'LEET'08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats', USENIX Association, San Francisco, California, pp. 1--8. Google ScholarDigital Library
- Provos, N., Mavrommatis, P., Abu, M. & Monrose, R. F. (2008), 'All your iframes point to us', Google Inc.Google Scholar
- Provos, N., McNamee, D., Mavrommatis, P., Wang, K. & Modadugu, A. (2007), The ghost in the browser: Analysis of web-based malware, in 'Proceedings of the first USENIX workshop on hot topics in Botnets'. Google ScholarDigital Library
- Qassrawi, M. & Zhang, H. (2010), Client honeypots: Approaches and challenges, in 'New Trends in Information Science and Service Science (NISS), 2010 4th International Conference on', pp. 19--25.Google Scholar
- Ratanaworabhan, P., Livshits, B. & Zorn, B. (2009), Nozzle: a defense against heap-spraying code injection attacks, in 'Proceedings of the 18th conference on USENIX security symposium', USENIX Association, Montreal, Canada. Google ScholarDigital Library
- ScanSafe (2009), Annual global threat report, Technical report, ScanSafe.Google Scholar
- Seifert, C. (2007), 'Know your enemy: Behind the scenes of malicious web servers', The Honeynet Project.Google Scholar
- Seifert, C. & Steenson, R. (2009), 'Capture-hpc'. Available from https://projects.honeynet.org/capture-hpc/; accessed on 22 February 2010.Google Scholar
- Seifert, C., Steenson, R., Holz, T., Yuan, B. & Davis, M. A. (2007), 'Know your enemy: Malicious web servers', The Honeynet Project.Google Scholar
- Seifert, C., Steenson, R., Komisarczuk, P. & Endicott-Popovsky, B. (2007), Capture - a behavioral analysis tool for application and documents, in 'Proceeding of the 7th Digial Forensics Research', Pittsburgh. Google ScholarDigital Library
- Seifert, C., Steenson, R. & Le, V. L. (2009), 'Capture-hpc v3.0 beta'. Available from https://projects.honeynet.org/capture-hpc/wiki/Releases; accessed on 22 Feburary 2010.Google Scholar
- Seifert, C., Welch, I. & Komisarczuk, P. (2008a), Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots, in 'Proceedings of the 2008 ACM symposium on Applied computing', ACM, Fortaleza, Ceara, Brazil. Google ScholarDigital Library
- Seifert, C., Welch, I. & Komisarczuk, P. (2008b), Identification of malicious web pages with static heuristics, in 'Telecommunication Networks and Applications Conference, 2008. ATNAC 2008. Australasian', pp. 91--96.Google Scholar
- Shih-Fen, L., Yung-Tsung, H., Chia-Mei, C., Bingchiang, J. & Chi-Sung, L. (2008), Malicious webpage detection by semantics-aware reasoning, in 'Intelligent Systems Design and Applications, 2008. ISDA '08. Eighth International Conference on', Vol. 1, pp. 115--120. Google ScholarDigital Library
- Sophos (2009), Security threat report: 2009, Technical report, Sophos.Google Scholar
- Symantec (April 2009), Security threat report - trend for 2008, Technical report, Symantec.Google Scholar
- UCSB (2011), 'Wepawet'. Available from http://wepawet.cs.ucsb.edu/; accessed on 20 October 2011.Google Scholar
- Wang, Y.-M., Beck, D., Jiang, X. & Roussev, R. (2006), 'Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities', IN NDSS.Google Scholar
- Wang, Y.-M., Niu, Y., Chen, H., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S. & King, S. (2007), 'Strider honeymonkeys: Active, client-side honeypots for finding malicious websites'. Available from http://research.microsoft.com/users/shuochen/HM.PDF; accessed on 20 October 2009.Google Scholar
- Websense (2008), State of internet security, Technical report, Websense Security Labs.Google Scholar
- Websense (2009), State of internet security, Technical report, Websense Security Labs.Google Scholar
- Xiaoyan, S., Yang, W., Jie, R., Yuefei, Z. & Shengli, L. (2008), Collecting internet malware based on client-side honeypot, in 'Young Computer Scientists, 2008. ICYCS 2008. The 9th International Conference for', pp. 1493--1498. Google ScholarDigital Library
- Zhuge, J., Holz, T., Han, X., Song, C. & Zou, W. (2007), Collecting autonomous spreading malware using high-interaction honeypots, in 'Proceedings of the 9th international conference on Information and communications security', ICICS'07, Springer-Verlag, Berlin, Heidelberg, pp. 438--451. Google ScholarDigital Library
- Anatomy of drive-by download attack
Recommendations
Identification of potential malicious web pages
AISC '11: Proceedings of the Ninth Australasian Information Security Conference - Volume 116Malicious web pages are an emerging security concern on the Internet due to their popularity and their potential serious impact. Detecting and analysing them are very costly because of their qualities and complexities. In this paper, we present a ...
Two-Stage Classification Model to Detect Malicious Web Pages
AINA '11: Proceedings of the 2011 IEEE International Conference on Advanced Information Networking and ApplicationsMalicious web pages are an emerging security concern on the Internet due to their popularity and their potential serious impacts. Detecting and analyzing them is very costly because of their qualities and complexities. There has been some research ...
Proactive Blacklisting for Malicious Web Sites by Reputation Evaluation Based on Domain and IP Address Registration
TRUSTCOM '11: Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and CommunicationsThe objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective ...
Comments