ZHANG Huilin,ZHUGE Jianwei,SONG Chengyu,HAN Xinhui,ZOO Wei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.009

2009-01-01

Abstract:A dynamic page view based drive-by download detection method was developed to address the challenge hidden drive-by downloads which abuse inline linking dynamics creation and obfuscation.The method uses a script engine to execute page scripts with tools to reveal the script's actions and inline linking identification mechanisms and rebuilds the dynamic page view of the visited page by recursively analyzing the inline pages.The system then detects drive-by downloads based on the rebuilt dynamic page view.Tests on a prototype based on the open-sourced PHoneyC framework to detect 89 drive-by download samples showed that single page views in this paper had a detection rate of 29.2%, static page views had a detection rate of 43.8%, and the dynamic page views had a detection rate of 70.8%.Thus, the dynamic detection method has a much higher detection rate.

Saeed Ibrahim,Nawwaf Al Herami,Ebrahim Al Naqbi,Monther Aldwairi

DOI: https://doi.org/10.48550/arXiv.2002.08007

2020-04-09

Abstract:A drive by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive by downloads from different standpoints. We provide in depth understanding of the difficulties in dealing with drive by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area.

Cryptography and Security

Yinzhi Cao,Xiang Pan,Yan Chen,Jianwei Zhuge

DOI: https://doi.org/10.1145/2664243.2664256

2014-01-01

Abstract:Drive-by download attacks, which exploit vulnerabilities of web browsers to control client computers, have become a major venue for attackers. To detect such attacks, researchers have proposed many approaches such as anomaly-based [22, 23] and vulnerability-based [44, 50] detections. However, anomaly-based approaches are vulnerable to data pollution, and existing vulnerability-based approaches cannot accurately describe the vulnerability condition of all the drive-by download attacks. In this paper, we propose a vulnerability-based approach, namely JShield, which uses novel opcode vulnerability signature, a deterministic finite automaton (DFA) with a variable pool at opcode level, to match drive-by download vulnerabilities. We investigate all the JavaScript engine vulnerabilities of web browsers from 2009 to 2014, as well as those of portable document files (PDF) readers from 2007 to 2014. JShield is able to match all of those vulnerabilities; furthermore, the overall evaluation shows that JShield is so lightweight that it only adds 2.39 percent of overhead to original execution as the median among top 500 Alexa web sites.

Bingnan HOU,Yan? YU,Jiashun WU

2015-01-01

Journal of Computer Applications

Abstract:Malicious Web pages that host drive-by-download exploits have become the popular means for compromising hosts and creating botnets on the Internet. In drive-by-download exploits, attackers embed malicious JavaScript code into a Web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. This paper proposed a detection and analysis method of malicious JavasScript code based on pre-filter called JSFEA which suits for large-scale Web page detection. JSFEA used static analysis techniques to quickly examine a Web page for determining whether it”s suspicious or not. If it is determined suspicious then put it into dynamic detection. The study shows that JSFEA is able to reduce the load on a more costly dynamic analysis by more than 85%, with a low false positive rate.

Chengyu Song,Jianwei Zhuge,Xinhui Han,Zhiyuan Ye

DOI: https://doi.org/10.1145/1755688.1755705

2010-01-01

Abstract:Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks. Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

Yizhi Liu,Chaoqun Zhu,Yadi Wu,Heng Xu,Jun Song

DOI: https://doi.org/10.1002/cpe.6191

2021-01-19

Concurrency and Computation: Practice and Experience

Abstract:<p>In recent years, with the rapid development of mobile social networks and services, the research of mobile malicious webpage detection has become a hot topic. Most of the existing malicious webpage detection systems are deployed on desktop systems and servers. Due to the limitation of network transmission delay and computing resources, these existing solutions fail to provide the real‐time and lightweight properties for mobile webpage detection. In this paper, we propose an advanced mobile malicious webpage detection framework based on deep learning and edge cloud. Inspired by the idea of edge computing, a multidevice load optimization approach is first introduced to improve detection efficiency. Second, an automatic extraction approach based on deep learning model features is presented to enhance detection accuracy. Furthermore, detection systems can be flexibly deployed on edge nodes and servers, thus providing the properties of resource optimization deployment and real‐time detection. Finally, comparative analysis and performance evaluation are presented to show the detection efficiency and accuracy of the proposed framework.</p>

Rui-zhi TIAN,Bing MAO,Li XIE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.032

2014-01-01

Abstract:Web based malware infection and propagation method becomes the main way of virus's spreading in the Internet. Drive-by Download is one of the best known ways among them. Make use of the browser extension to monitor user's download file activities,to construct the white list. In addition to this,install a hook in the kernel space to prevent unauthorized file to execute,so as to block the Drive-by Download attacks. It has implemented a prototype:DPrevent (Drive-by Download Prevent),which is based on the Firefox ex-tension,for the Microsoft Windows platform. The experiment demonstrates that,the false positive and false negative of the DPrevent are both zero. Since of the agnostic for the attack method,it can also defend the zero-day attacks. The overhead of DPrevent is almost zero, which is better than the other dynamic skills in this area.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

韩心慧,龚晓锐,诸葛建伟,邹磊,邹维

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.021

2011-01-01

Abstract:A frequent embedded subtree pattern-mining algorithm was developed based on observations of the URL link tree structure of drive-by-download attack scenarios to extract typical frequent embedded subtree patterns from a large library of scenarios collected in the wild.35 extracted patterns were used to change a subtree matching algorithm into a behavior-based dynamic detection method for drive-by-downloads.Tests show that the purely dynamic detection method missed about 20% of the drive-by-downloads identified using the subtree matching algorithm based on the extracted patterns.Therefore,the subtree matching algorithm partially solves the problem of missed drive-by-downloads.These common subtree patterns provide a way to classify and trace the sources of drive-by-download attacks.

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Junho Choi,Chang Choi,Byeongkyu Ko,Pankoo Kim

DOI: https://doi.org/10.1007/s00500-014-1250-8

IF: 3.732

2014-03-11

Soft Computing

Abstract:Cloud computing is a more advanced technology for distributed processing, e.g., a thin client and grid computing, which is implemented by means of virtualization technology for servers and storages, and advanced network functionalities. However, this technology has certain disadvantages such as monotonous routing for attacks, easy attack method, and tools. This means that all network resources and operations are blocked all at once in the worst case. Various studies such as pattern analyses and network-based access control for infringement response based on Infrastructure as a Service, Platform as a Service and Software as a Service in cloud computing services have therefore been recently conducted. This study proposes a method of integration between HTTP GET flooding among Distributed Denial-of-Service attacks and MapReduce processing for fast attack detection in a cloud computing environment. In addition, experiments on the processing time were conducted to compare the performance with a pattern detection of the attack features using Snort detection based on HTTP packet patterns and log data from a Web server. The experimental results show that the proposed method is better than Snort detection because the processing time of the former is shorter with increasing congestion.

computer science, artificial intelligence, interdisciplinary applications

Alfredo De Santis,Giancarlo De Maio,Umberto Ferraro Petrillo

DOI: https://doi.org/10.48550/arXiv.1507.03467

2015-07-13

Cryptography and Security

Abstract:The web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast-pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the web. However, these advancements come at a price. The same technologies used to build responsive, pleasant and fully-featured web applications, can also be used to write web malware able to escape detection systems. In this article we present new obfuscation techniques, based on some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques go undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.

JongHun Jung,Hwan-Kuk Kim,Soojin Yoon

DOI: https://doi.org/10.48550/arXiv.1502.03872

2015-02-13

Abstract:Recent web-based cyber attacks are evolving into a new form of attacks such as private information theft and DDoS attack exploiting JavaScript within a web page. These attacks can be made just by accessing a web site without distribution of malicious codes and infection. Script-based cyber attacks are hard to detect with traditional security equipments such as Firewall and IPS because they inject malicious scripts in a response message for a normal web request. Furthermore, they are hard to trace because attacks such as DDoS can be made just by visiting a web page. Due to these reasons, it is expected that they could result in direct damages and great ripple effects. To cope with these issues, in this article, a proposal is made for techniques that are used to detect malicious scripts through real-time web content analysis and to automatically generate detection signatures for malicious JavaScript.

Cryptography and Security

Xincheng He,Chunliu Cha,Lei Xu

DOI: https://doi.org/10.1109/APSEC.2018.00051

2018-12-01

Abstract:JavaScript plays an important role in web applications and services, which is used by millions of web pages in optimizing interface design, embedding dynamic texts, reading and writing HTML elements, validating form data, responding to browser events, controlling cookies and much more. However, since JavaScript is cross-platform and can be executed dynamically, it has been a major vehicle for web-based attacks. Existing solutions work by performing static analysis or monitoring program execution dynamically. However, since the heavy use of obfuscation techniques, many methods no longer apply to malicious JavaScript code detection, and it has been a huge challenge to de-obfuscate obfuscated malicious JavaScript code accurately. In this paper, we propose a hybrid analysis method combining static and dynamic analysis for detecting malicious JavaScript code that works by first conducting syntax analysis and dynamic instrumentation to extract internal features that are related to malicious code and then performing classificationbased detection to distinguish attacks. In addition, based on code instrumentation, we propose a new method which can deobfuscate part of obfuscated malicious JavaScript code accurately. Ultimately, we implement a browser plug-in called MJDetector and perform evaluation on 450 real web pages. Evaluation results show that our method can detect malicious JavaScript code and de-obfuscate obfucation effectively and efficiently. Specifically, MJDetector can detect JavaScipt attacks in current web pages with high accuracy 94.76% and de-obfuscate obfuscate code of specific types with accuracy 100% whereas the base line method can only detect with accuracy 81.16% and has no capacity of de-obfuscation.

Computer Science

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Fan Yang,Chaoqun Zhu,Heng Xu,Yongfeng Qian,Jun Song

DOI: https://doi.org/10.1002/cpe.6792

2021-12-27

Concurrency and Computation: Practice and Experience

Abstract:Summary Malicious webpage detection is a crucial work in both theory and practical environment. In practical applications, static detection methods are usually regarded as a priority choice, which can quickly detect unknown malicious web pages and avoid a costly in‐depth analysis. However, existing solution of static detection typically has the following problems. For example, a single static detection may lead to a higher false positive rate, and the integrated detection usually has a lower detection efficiency. In this article, we propose an efficient webpage static detection framework, especially considering both the detection efficiency and the detection accuracy. Then, on the basis of the extended feature sets from URL, HTML, and JavaScript, we introduce an optimized naive Bayesian algorithm, in which a novel amplification factor strategy is proposed. Finally, a webpage threat assessment model oriented to general machine learning is presented to achieve the refined detection. Three main properties are provided: high detection efficiency, high detection accuracy, and better applicability. Furthermore, the comprehensive experimental results and comparative analysis is given to show the advantages of the proposed framework.

bin cao,zhen chen,hongjian liu,ge ma,peng zhang,guodong peng

DOI: https://doi.org/10.1109/ICNDC.2013.9

2013-01-01

Abstract:With the rapid growth of Internet, the amount of malicious codes is exploding. Some security software vendors provide new cloud-based safeguard software for client users. These software, as part of Internet ware, consist of many modules with different functions and Internet behaviors. The Trojan scanning module, for instance, is based on cloud scanning function, which is achieved by collecting a large number of suspicious files on users' hosts and scanning them in remote cloud platforms. While providing security, they also bring a serious problem of user privacy. In this paper, we use black box testing method to analyze the network behavior of four safeguard software, especially the Trojan scanning module based on cloud scanning function. In specific, we conduct extensive experiments to examine the network behaviors of the major function modules used by these safeguard software. In this paper we present a reasonable network behavior model that can help the safeguard software to protect users' privacy. One way of looking at our contributions is the network behavior comparison and analysis of four safeguard software which are widely used in China. And the experimental results validate our claims either.

Donghai Tian,Runze Zhao,Rui Ma,Xiaoqi Jia,Qi Shen,Changzhen Hu,Wenmao Liu

DOI: https://doi.org/10.1002/ett.4584

IF: 3.6

2022-07-01

Transactions on Emerging Telecommunications Technologies

Abstract:We present MDCD, a malware detection system for virtualization environments. By utilizing the run‐time utilization and memory object information of the target VM, we can effectively detect the malicious programs in the target VM. With the increasing popularity of cloud computing applications, the threat of malware attack against cloud environments is getting worse. To defend against malware attacks in the cloud, some virtualization‐based approaches are proposed. However, the existing methods suffer from limitations in terms of detection accuracy, deployment effort, and performance cost. To address these issues, we propose MDCD, a novel dynamic malware detection solution for cloud environments. This method first utilizes a lightweight agent to collect the run‐time utilization information from the target virtual machine (VM). Then, it leverages the memory forensics analysis technique to extract the memory object information from the target VM's memory. To fully make use of the run‐time utilization and memory object information for malware detection, we propose a multi‐CNN model, which combines multiple convolutional neural networks (CNNs) efficiently. The evaluation shows that our approach can achieve an average detection accuracy, precision, recall, and F1 Score of 98.89%, 97.01%, 98.17%, and 97.89% respectively. Compared with the existing solutions, our method can detect multiple malicious processes effectively with little deployment effort.

telecommunications

Muhammad Saad,David Mohaisen

2023-04-26

Abstract:Cryptojacking is the permissionless use of a target device to covertly mine cryptocurrencies. With cryptojacking, attackers use malicious JavaScript codes to force web browsers into solving proof-of-work puzzles, thus making money by exploiting the resources of the website visitors. To understand and counter such attacks, we systematically analyze the static, dynamic, and economic aspects of in-browser cryptojacking. For static analysis, we perform content, currency, and code-based categorization of cryptojacking samples to 1) measure their distribution across websites, 2) highlight their platform affinities, and 3) study their code complexities. We apply machine learning techniques to distinguish cryptojacking scripts from benign and malicious JavaScript samples with 100\% accuracy. For dynamic analysis, we analyze the effect of cryptojacking on critical system resources, such as CPU and battery usage. We also perform web browser fingerprinting to analyze the information exchange between the victim node and the dropzone cryptojacking server. We also build an analytical model to empirically evaluate the feasibility of cryptojacking as an alternative to online advertisement. Our results show a sizeable negative profit and loss gap, indicating that the model is economically infeasible. Finally, leveraging insights from our analyses, we build countermeasures for in-browser cryptojacking that improve the existing remedies.

Cryptography and Security,Computers and Society,Machine Learning,Software Engineering

R. E. Shepherd,P. D. Gollnick

DOI: https://doi.org/10.1007/BF00581173

1976-04-06

Pflügers Archiv

Abstract: