ZHANG Huilin,ZHUGE Jianwei,SONG Chengyu,HAN Xinhui,ZOO Wei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.009

2009-01-01

Abstract:A dynamic page view based drive-by download detection method was developed to address the challenge hidden drive-by downloads which abuse inline linking dynamics creation and obfuscation.The method uses a script engine to execute page scripts with tools to reveal the script's actions and inline linking identification mechanisms and rebuilds the dynamic page view of the visited page by recursively analyzing the inline pages.The system then detects drive-by downloads based on the rebuilt dynamic page view.Tests on a prototype based on the open-sourced PHoneyC framework to detect 89 drive-by download samples showed that single page views in this paper had a detection rate of 29.2%, static page views had a detection rate of 43.8%, and the dynamic page views had a detection rate of 70.8%.Thus, the dynamic detection method has a much higher detection rate.

Saeed Ibrahim,Nawwaf Al Herami,Ebrahim Al Naqbi,Monther Aldwairi

DOI: https://doi.org/10.48550/arXiv.2002.08007

2020-04-09

Abstract:A drive by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive by downloads from different standpoints. We provide in depth understanding of the difficulties in dealing with drive by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area.

Cryptography and Security

周黔,吴铁军

DOI: https://doi.org/10.3321/j.issn:1001-0920.2008.10.021

2008-01-01

Abstract:Efficient trend extraction methods can provide early warnings,severity assessments of monitored subjects and information for decision support.In this paper,a real-time trend extraction algorithm for dynamic data streams algorithm is proposed by combining an incremental recursive least square algorithm for regression parameter estimation with the generalized likelihood ratio test for change-point detection.Remarkably faster computational speed and higher trend analysis accuracy are achieved by this algorithm compared with the existing algorithms in the same field.The experiment results show the effectiveness of the proposed algorithm.

Rui-zhi TIAN,Bing MAO,Li XIE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.032

2014-01-01

Abstract:Web based malware infection and propagation method becomes the main way of virus's spreading in the Internet. Drive-by Download is one of the best known ways among them. Make use of the browser extension to monitor user's download file activities,to construct the white list. In addition to this,install a hook in the kernel space to prevent unauthorized file to execute,so as to block the Drive-by Download attacks. It has implemented a prototype:DPrevent (Drive-by Download Prevent),which is based on the Firefox ex-tension,for the Microsoft Windows platform. The experiment demonstrates that,the false positive and false negative of the DPrevent are both zero. Since of the agnostic for the attack method,it can also defend the zero-day attacks. The overhead of DPrevent is almost zero, which is better than the other dynamic skills in this area.

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

Yinzhi Cao,Xiang Pan,Yan Chen,Jianwei Zhuge

DOI: https://doi.org/10.1145/2664243.2664256

2014-01-01

Abstract:Drive-by download attacks, which exploit vulnerabilities of web browsers to control client computers, have become a major venue for attackers. To detect such attacks, researchers have proposed many approaches such as anomaly-based [22, 23] and vulnerability-based [44, 50] detections. However, anomaly-based approaches are vulnerable to data pollution, and existing vulnerability-based approaches cannot accurately describe the vulnerability condition of all the drive-by download attacks. In this paper, we propose a vulnerability-based approach, namely JShield, which uses novel opcode vulnerability signature, a deterministic finite automaton (DFA) with a variable pool at opcode level, to match drive-by download vulnerabilities. We investigate all the JavaScript engine vulnerabilities of web browsers from 2009 to 2014, as well as those of portable document files (PDF) readers from 2007 to 2014. JShield is able to match all of those vulnerabilities; furthermore, the overall evaluation shows that JShield is so lightweight that it only adds 2.39 percent of overhead to original execution as the median among top 500 Alexa web sites.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chengyu Song,Jianwei Zhuge,Xinhui Han,Zhiyuan Ye

DOI: https://doi.org/10.1145/1755688.1755705

2010-01-01

Abstract:Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks. Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

Xueqi Zhang

DOI: https://doi.org/10.3233/idt-240382

2024-06-01

Intelligent Decision Technologies

Abstract:The malicious download of library resources may lead to serious security risks and data leakage. To address this issue, this study proposes an intelligent algorithm based on Sliding Event Windows for detecting the malicious download behavior. This research method includes collecting and analyzing library resource download data and establishing a Sliding Event Window model for behavioral analysis. For each event window, this intelligent algorithm was utilized for feature extraction and behavior classification. Experimental results showed that window size and class radius had a large impact, while clustering radius had a small impact. The maximum topic cluster ratio affected the false alarm rate. In the ROC curve area comparison, the AUC values of the proposed method, RBM Method, a detection method based on IP request time interval, and a detection method based on IP request frequency were 0.904, 0.879, 0.841, and 0.797, respectively. The research confirmed that Sliding Event Windows can effectively improve the accuracy of malicious download detection for library resources, enhance the security of library resources, and protect user privacy. This study can further optimize resource utilization efficiency and promote scientific research and innovative development.

CHEN Pei,HONG Geng,WU Meng-Ying,CHEN Jin-Song,DUAN Hai-Xin,YANG Min

DOI: https://doi.org/10.13328/j.cnki.jos.007122

2024-01-01

International Journal of Software and Informatics

Abstract:In recent years,with the rise of the mobile Internet,underground mobile applications primarily involved in scams,gambling,and pornography have become more rampant,requiring effective control measures.Currently,there is a lack of research on underground applications by researchers.Due to the continuous crackdown by law enforcement agencies on traditional distribution channels for these applications,the existing collection methods based on search engines and app stores have proven to be ineffective.The lack of large-scale and representative datasets of real-world underground applications has become a major constraint for in-depth research.Therefore,this study aims to address the challenge of collection of large-scale real-world underground applications,providing data support for a comprehensive in-depth analysis of these applications and their ecosystem.A method is proposed to capture underground applications based on traffic analysis.By focusing on the key distribution channels of underground applications and leveraging their characteristics of mutation and accompanying traffic,underground applications can be discovered in the propagation stage.In the test,the proposed method successfully obtained 3 439 application download links and 3 303 distinct applications.Among these apps,91.61%of the samples were labeled as malware by antivirus engine,while 98.14%of the samples were zero-days.The results demonstrate the effectiveness of the proposed method in the collection of underground applications.

Xing Li,Qianli Zhang,Jichen Liu

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.004

2017-01-01

Abstract:Aiming at the problem that the distributed denial of service(DDoS)attacks often use va-rious methods, a comprehensive scoring algorithm is designed.The algorithm can combine several detection algorithms and give a comprehensive score to alarm the attacks.Due to that current DDoS detection algorithms can not provide the specific features of the attacks, an Apriori-Geo-AS algo-rithm and Kolmogorov-Smirnov test based port usage pattern classification algorithm are designed. By improving the Apriori algorithm,the source-address,port and geographic location information of the attack source are extracted more effectively.Compared the port usage pattern with the ideal port usage pattern through the Kolmogorov-Smirnov test,the attacker摧s port usage pattern is further deter-mined.Experimental results show that the comprehensive scoring based detection algorithm can achieve a false alarm rate of less than 0.2%.An analysis on the attack case in Tsinghua University campus network demonstrates the effectiveness of the attack analysis.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Wei-Feng ZHANG,Rui-Cheng LIU,Lei XU

DOI: https://doi.org/10.13328/j.cnki.jos.005495

2018-01-01

Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94％) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1％ and false negative rate of 1.3％).

Yan Qin,Weiping Wang,Shigeng Zhang,Kai Chen

DOI: https://doi.org/10.1109/tifs.2021.3080082

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The exploit kits (EKs) are used by attackers to distribute malware automatically and silently. Existing approaches to EKs detection usually need to perform dynamic analysis on the content contained in the network traffic, which requires dumping all the network traffic and thus causes high detection overhead. Although some approaches detect EKs based on static analysis, they usually fail to restore the complete attack path because of the obstruction set by the attackers. In this paper, we propose an approach that can detect EKs based on only information extracted by static analysis. Our method builds a graph for web sessions and extracts features from the graph to perform EKs detection. The built graph catches important structural characteristics of the interaction during EK attacks that were not revealed in existing methods, with which EKs can be detected with high accuracy. The experiments show that our method works well in both the ground-truth datasets and the latest practical cases. Our method can also identify the malicious websites concealed in EKs, which can further improve the efficiency of analysis.

computer science, theory & methods,engineering, electrical & electronic

Bingnan HOU,Yan? YU,Jiashun WU

2015-01-01

Journal of Computer Applications

Abstract:Malicious Web pages that host drive-by-download exploits have become the popular means for compromising hosts and creating botnets on the Internet. In drive-by-download exploits, attackers embed malicious JavaScript code into a Web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. This paper proposed a detection and analysis method of malicious JavasScript code based on pre-filter called JSFEA which suits for large-scale Web page detection. JSFEA used static analysis techniques to quickly examine a Web page for determining whether it”s suspicious or not. If it is determined suspicious then put it into dynamic detection. The study shows that JSFEA is able to reduce the load on a more costly dynamic analysis by more than 85%, with a low false positive rate.

Shize Zhang,Zhiliang Wang,Jiahai Yang,Xin Cheng,Xiaoqian Ma,Hui Zhang,Bo Wang,Zimu Li,Jianping Wu

DOI: https://doi.org/10.1145/3485832.3485835

2021-01-01

Abstract:With the development of cryptocurrencies’ market, the problem of cryptojacking, which is an unauthorized control of someone else’s computer to mine cryptocurrency, has been more and more serious. Existing cryptojacking detection methods require to install anti-virus software on the host or load plug-in in the browser, which are difficult to deploy on enterprise or campus networks with a large number of hosts and servers. To bridge the gap, we propose MineHunter, a practical cryptomining traffic detection algorithm based on time series tracking. Instead of being deployed at the hosts, MineHunter detects the cryptomining traffic at the entrance of enterprise or campus networks. Minehunter has taken into account the challenges faced by the actual deployment environment, including extremely unbalanced datasets, controllable alarms, traffic confusion, and efficiency. The accurate network-level detection is achieved by analyzing the network traffic characteristics of cryptomining and investigating the association between the network flow sequence of cryptomining and the block creation sequence of cryptocurrency. We evaluate our algorithm at the entrance of a large office building in a campus network for a month. The total volumes exceed 28 TeraBytes. Our experimental results show that MineHunter can achieve precision of 97.0% and recall of 99.7%.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

Yangzong Zhang,Wenjian Liu,Kaiian Kuok,Ngai Cheong

DOI: https://doi.org/10.1109/access.2024.3349943

IF: 3.9

2024-01-01

IEEE Access

Abstract:Recent stealth attacks cleverly disguise malicious activities, masquerading as ordinary connections to popular online services through seemingly innocuous applications. These methods often evade detection by traditional network monitoring or signature-based techniques, as attackers frequently hide Command and Control (C&C) servers within well-known cloud service providers, making the traffic anomalies appear normal. In this paper, we introduce an application-level monitoring system, Anteater. Anteater constructs a detailed profile for each legitimate software’s network traffic behavior, outlining the expected traffic patterns. By scrutinizing a program’s network traffic configuration, Anteater efficiently pinpoints and intercepts the IP addresses associated with abnormal program access. Implemented in a real-world enterprise environment, Anteater was tested on a dataset containing over 400 million real-world network traffic sessions. The evaluation results demonstrate that Anteater achieves a high detection rate for malware injections, boasting a true positive rate of 94.5% and a false positive rate of less than 0.1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Senhao Wen,Zhiyuan Zhao,Hanbing Yan

DOI: https://doi.org/10.1145/3199478.3199500

2018-03-16

Abstract:We are increasingly relying on HTML(Hypertext Markup Language) web-pages, including online shopping, obtaining information and handling official business, whether on a mobile phone or on a computer. But the underground industry or deliberate attacker has also targeted us. They forges misleading URLs(UniformResourceLocators) and web-pages with various tricky skills which are difficult to identify even for the professionals, so as to steal money, manipulate our devices, monitor our lives. Currently, most of the malicious websites detecting technology is based on features of URLs or Web page elements, which make us feel upset, because it is difficult to extract all the features, and its hysteresis quality make it hard to meet the requirement of tracking the rapid changes of malicious web sites, especially the phishing websites. This paper design a thorough associated analysis model of web-pages using the technology of topic tracking, topic abnormal discovery, web-page visual similarity assessment, web-page structure analyzing, URL analyzing, Internet Resources analyzing and so on, to solve the problem of missing detecting malicious websites, especially with unknown features. The detecting model is able to discover the forged payment web-pages, fake web page which damage the reputation of the relevant organization, personal attack web-pages, tampered web page, web-page trojan, etc. In the meantime, it can track the topic of underground industry and sense the topic evolution. According to our experiments, it is effective and has high accuracy.