ABSTRACT
The web is one of the most popular vectors to spread malware. Attackers lure victims to visit compromised web pages or entice them to click on malicious links. These victims are redirected to sites that exploit their browsers or trick them into installing malicious software using social engineering.
In this paper, we tackle the problem of detecting malicious web pages from a novel angle. Instead of looking at particular features of a (malicious) web page, we analyze how a large and diverse set of web browsers reach these pages. That is, we use the browsers of a collection of web users to record their interactions with websites, as well as the redirections they go through to reach their final destinations. We then aggregate the different redirection chains that lead to a specific web page and analyze the characteristics of the resulting redirection graph. As we will show, these characteristics can be used to detect malicious pages.
We argue that our approach is less prone to evasion than previous systems, allows us to also detect scam pages that rely on social engineering rather than only those that exploit browser vulnerabilities, and can be implemented efficiently. We developed a system, called SpiderWeb, which implements our proposed approach. We show that this system works well in detecting web pages that deliver malware.
- Alexa, the Web Information Company. http://www.alexa.com.Google Scholar
- M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript code. In International Conference on World Wide Web, 2010. Google ScholarDigital Library
- C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Low-overhead mostly static javascript malware detection. In USENIX Security Symposium, 2011.Google Scholar
- A. Doupe, B. Boe, C. Kruegel, and G. Vigna. Fear the EAR: discovering and mitigating execution after redirect vulnerabilities. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manufacturing compromise: The emergence of exploit-as-a-service. In ACM Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
- Hall, M. and Frank, E. and Holmes, G. and Pfahringer, B. and Reutemann, P. and Witten, I.H. The WEKA Data Mining Software: An Update. In SIGKDD Explorations, 2009. Google ScholarDigital Library
- McAfee Inc. Mapping the Mal Web. Technical report, 2010.Google Scholar
- A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna. Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In USENIX Security Symposium, 2013. Google ScholarDigital Library
- C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-Cloaking Internet Malware. In IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- S. Lee and J. Kim. WARNINGBIRD: Detecting Suspicious URLs in Twitter Stream. In Symposium on Network and Distributed System Security (NDSS), 2012.Google Scholar
- Z. Li, K. Zhang, Y. Xie, F. Yu, and X.F. Wang. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. In ACM Conference on Computer and Communications Security (CCS), 2012. Google ScholarDigital Library
- H. Liu, K. Levchenko, M. Felegyhazi, C. Kreibich, G. Maier, G.M. Voelker, and S. Savage. On the effects of registrarlevel intervention. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011. Google ScholarDigital Library
- L. Lu, R. Perdisci, and W. Lee. SURF: Detecting and Measuring Search Poisoning. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- J. Ma, L.K. Saul, S. Savage, and G.M. Voelker. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In ACM SIGKDD international conference on Knowledge discovery and data mining, 2009. Google ScholarDigital Library
- J. Nazario. PhoneyC: a Virtual Client Honeypot. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
- A. Ntoulas, M. Najork, M. Manasse, and D. Fetterly. Detecting Spam Web Pages Through Content Analysis. In International Conference on World Wide Web, 2006. Google ScholarDigital Library
- J. Platt et al. Sequential minimal optimization: A fast algorithm for training support vector machines. Technical report, 1998.Google Scholar
- N. Provos, P. Mavrommatis, M.A. Rajab, and F. Monrose. All Your Iframes Point to Us. In USENIX Security Symposium, 2008. Google ScholarDigital Library
- P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In USENIX Security Symposium, 2009. Google ScholarDigital Library
- C. Seifert and R. Steenson. Capture-honeypot Client (capture-hpc), 2006.Google Scholar
- C. Seifert, I. Welch, P. Komisarczuk, et al. Honeyc: the Low-interaction Client Honeypot. Proceedings of the 2007 NZCSRCS, 2007.Google Scholar
- J.W. Stokes, R. Andersen, C. Seifert, and K. Chellapilla. Webcop: Locating Neighborhoods of Malware on the Web. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2010. Google ScholarDigital Library
- B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna. The Underground Economy of Fake Antivirus Software. In Workshop on the Economics of Information Security (WEIS), 2011.Google Scholar
- B. Stone-Gross, R. Stevens, A. Zarras, R. Kemmerer, C. Kruegel, and G. Vigna. Understanding fraudulent activities in online ad exchanges. In ACM SIGCOMM Conference on Internet Measurement, 2011. Google ScholarDigital Library
- K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song. Design and Evaluation of a Real-time URL Spam Filtering Service. In IEEE Symposium on Security and Privacy, 2011. Google ScholarDigital Library
- T. Urvoy, E. Chauveau, P. Filoche, and T. Lavergne. Tracking Web Spam with HTML Style Similarities. ACM Transactions on the Web (TWEB), 2008. Google ScholarDigital Library
- D.Y. Wang, S. Savage, and G.M. Voelker. Cloak and Dagger: Dynamics of Web Search Cloaking. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- Y.M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated Web Patrol with Strider Honeymonkeys. In Symposium on Network and Distributed System Security (NDSS), 2006.Google Scholar
- Y.M. Wang and M. Ma. Detecting Stealth Web Pages That Use Click-Through Cloaking. Technical report, Microsoft Research Technical Report, MSR-TR-2006--178, 2006.Google Scholar
- B. Wu and B.D. Davison. Detecting Semantic Cloaking on the Web. In International Conference on World Wide Web, 2006. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. In ACM SIGCOMM Computer Communication Review, 2008. Google ScholarDigital Library
- J. Zhang, C. Seifert, J.W. Stokes, and W. Lee. ARROW: Generating Signatures to Detect Drive-By Downloads. In International Conference on World Wide Web, 2011. Google ScholarDigital Library
Index Terms
- Shady paths: leveraging surfing crowds to detect malicious web pages
Recommendations
A graph mining approach for detecting unknown malwares
Nowadays malware is one of the serious problems in the modern societies. Although the signature based malicious code detection is the standard technique in all commercial antivirus softwares, it can only achieve detection once the virus has already ...
Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory
A solution for trusted detection of unknown ransomware in VMs is proposed.Valuable data is extracted from the VM's memory dump using the Volatility framework.General descriptive features are proposed and successfully leveraged by ML algorithms.The ...
Malware detection using assembly code and control flow graph optimization
A2CWiC '10: Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in IndiaMalware detection is a crucial aspect of software security. A malware detector is a system that attempts to determine whether a program has malicious intent. Current malware detectors work by checking for signatures, which attempt to capture the ...
Comments