research-article

Shady paths: leveraging surfing crowds to detect malicious web pages

Authors:
Gianluca Stringhini

University of California, Santa Barbara, Santa Barbara, California, USA

University of California, Santa Barbara, Santa Barbara, California, USA
View Profile

,
Christopher Kruegel

University of California, Santa Barbara, Santa Barbara, California, USA

University of California, Santa Barbara, Santa Barbara, California, USA
View Profile

,
Giovanni Vigna

University of California, Santa Barbara, Santa Barbara, California, USA

University of California, Santa Barbara, Santa Barbara, California, USA
View Profile

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityNovember 2013Pages 133–144https://doi.org/10.1145/2508859.2516682

Published:04 November 2013Publication History

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 133–144

ABSTRACT

The web is one of the most popular vectors to spread malware. Attackers lure victims to visit compromised web pages or entice them to click on malicious links. These victims are redirected to sites that exploit their browsers or trick them into installing malicious software using social engineering.

In this paper, we tackle the problem of detecting malicious web pages from a novel angle. Instead of looking at particular features of a (malicious) web page, we analyze how a large and diverse set of web browsers reach these pages. That is, we use the browsers of a collection of web users to record their interactions with websites, as well as the redirections they go through to reach their final destinations. We then aggregate the different redirection chains that lead to a specific web page and analyze the characteristics of the resulting redirection graph. As we will show, these characteristics can be used to detect malicious pages.

We argue that our approach is less prone to evasion than previous systems, allows us to also detect scam pages that rely on social engineering rather than only those that exploit browser vulnerabilities, and can be implemented efficiently. We developed a system, called SpiderWeb, which implements our proposed approach. We show that this system works well in detecting web pages that deliver malware.

References

Alexa, the Web Information Company. http://www.alexa.com.Google Scholar
M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript code. In International Conference on World Wide Web, 2010. Google ScholarDigital Library
C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Low-overhead mostly static javascript malware detection. In USENIX Security Symposium, 2011.Google Scholar
A. Doupe, B. Boe, C. Kruegel, and G. Vigna. Fear the EAR: discovering and mitigating execution after redirect vulnerabilities. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manufacturing compromise: The emergence of exploit-as-a-service. In ACM Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
Hall, M. and Frank, E. and Holmes, G. and Pfahringer, B. and Reutemann, P. and Witten, I.H. The WEKA Data Mining Software: An Update. In SIGKDD Explorations, 2009. Google ScholarDigital Library
McAfee Inc. Mapping the Mal Web. Technical report, 2010.Google Scholar
A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna. Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In USENIX Security Symposium, 2013. Google ScholarDigital Library
C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-Cloaking Internet Malware. In IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
S. Lee and J. Kim. WARNINGBIRD: Detecting Suspicious URLs in Twitter Stream. In Symposium on Network and Distributed System Security (NDSS), 2012.Google Scholar
Z. Li, K. Zhang, Y. Xie, F. Yu, and X.F. Wang. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. In ACM Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
H. Liu, K. Levchenko, M. Felegyhazi, C. Kreibich, G. Maier, G.M. Voelker, and S. Savage. On the effects of registrarlevel intervention. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011. Google ScholarDigital Library
L. Lu, R. Perdisci, and W. Lee. SURF: Detecting and Measuring Search Poisoning. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
J. Ma, L.K. Saul, S. Savage, and G.M. Voelker. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In ACM SIGKDD international conference on Knowledge discovery and data mining, 2009. Google ScholarDigital Library
J. Nazario. PhoneyC: a Virtual Client Honeypot. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
A. Ntoulas, M. Najork, M. Manasse, and D. Fetterly. Detecting Spam Web Pages Through Content Analysis. In International Conference on World Wide Web, 2006. Google ScholarDigital Library
J. Platt et al. Sequential minimal optimization: A fast algorithm for training support vector machines. Technical report, 1998.Google Scholar
N. Provos, P. Mavrommatis, M.A. Rajab, and F. Monrose. All Your Iframes Point to Us. In USENIX Security Symposium, 2008. Google ScholarDigital Library
P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In USENIX Security Symposium, 2009. Google ScholarDigital Library
C. Seifert and R. Steenson. Capture-honeypot Client (capture-hpc), 2006.Google Scholar
C. Seifert, I. Welch, P. Komisarczuk, et al. Honeyc: the Low-interaction Client Honeypot. Proceedings of the 2007 NZCSRCS, 2007.Google Scholar
J.W. Stokes, R. Andersen, C. Seifert, and K. Chellapilla. Webcop: Locating Neighborhoods of Malware on the Web. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2010. Google ScholarDigital Library
B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna. The Underground Economy of Fake Antivirus Software. In Workshop on the Economics of Information Security (WEIS), 2011.Google Scholar
B. Stone-Gross, R. Stevens, A. Zarras, R. Kemmerer, C. Kruegel, and G. Vigna. Understanding fraudulent activities in online ad exchanges. In ACM SIGCOMM Conference on Internet Measurement, 2011. Google ScholarDigital Library
K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song. Design and Evaluation of a Real-time URL Spam Filtering Service. In IEEE Symposium on Security and Privacy, 2011. Google ScholarDigital Library
T. Urvoy, E. Chauveau, P. Filoche, and T. Lavergne. Tracking Web Spam with HTML Style Similarities. ACM Transactions on the Web (TWEB), 2008. Google ScholarDigital Library
D.Y. Wang, S. Savage, and G.M. Voelker. Cloak and Dagger: Dynamics of Web Search Cloaking. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
Y.M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated Web Patrol with Strider Honeymonkeys. In Symposium on Network and Distributed System Security (NDSS), 2006.Google Scholar
Y.M. Wang and M. Ma. Detecting Stealth Web Pages That Use Click-Through Cloaking. Technical report, Microsoft Research Technical Report, MSR-TR-2006--178, 2006.Google Scholar
B. Wu and B.D. Davison. Detecting Semantic Cloaking on the Web. In International Conference on World Wide Web, 2006. Google ScholarDigital Library
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. In ACM SIGCOMM Computer Communication Review, 2008. Google ScholarDigital Library
J. Zhang, C. Seifert, J.W. Stokes, and W. Lee. ARROW: Generating Signatures to Detect Drive-By Downloads. In International Conference on World Wide Web, 2011. Google ScholarDigital Library

Index Terms

Shady paths: leveraging surfing crowds to detect malicious web pages
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

A graph mining approach for detecting unknown malwares

Nowadays malware is one of the serious problems in the modern societies. Although the signature based malicious code detection is the standard technique in all commercial antivirus softwares, it can only achieve detection once the virus has already ...
Read More
Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory

A solution for trusted detection of unknown ransomware in VMs is proposed.Valuable data is extracted from the VM's memory dump using the Volatility framework.General descriptive features are proposed and successfully leveraged by ML algorithms.The ...
Read More
Malware detection using assembly code and control flow graph optimization
A2CWiC '10: Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India

Malware detection is a crucial aspect of software security. A malware detector is a system that attempts to determine whether a program has malicious intent. Current malware detectors work by checking for signatures, which attempt to capture the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 November 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
detection
http redirections
malware
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '13 Paper Acceptance Rate105of530submissions,20%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 79
  Total Citations
  View Citations
- 944
  Total Downloads
- Downloads (Last 12 months)50
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Shady paths: leveraging surfing crowds to detect malicious web pages

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

A graph mining approach for detecting unknown malwares

Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory

Malware detection using assembly code and control flow graph optimization