Chengyu Song,Jianwei Zhuge,Xinhui Han,Zhiyuan Ye

DOI: https://doi.org/10.1145/1755688.1755705

2010-01-01

Abstract:Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks. Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

Saeed Ibrahim,Nawwaf Al Herami,Ebrahim Al Naqbi,Monther Aldwairi

DOI: https://doi.org/10.48550/arXiv.2002.08007

2020-04-09

Abstract:A drive by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive by downloads from different standpoints. We provide in depth understanding of the difficulties in dealing with drive by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area.

Cryptography and Security

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Yinzhi Cao,Xiang Pan,Yan Chen,Jianwei Zhuge

DOI: https://doi.org/10.1145/2664243.2664256

2014-01-01

Abstract:Drive-by download attacks, which exploit vulnerabilities of web browsers to control client computers, have become a major venue for attackers. To detect such attacks, researchers have proposed many approaches such as anomaly-based [22, 23] and vulnerability-based [44, 50] detections. However, anomaly-based approaches are vulnerable to data pollution, and existing vulnerability-based approaches cannot accurately describe the vulnerability condition of all the drive-by download attacks. In this paper, we propose a vulnerability-based approach, namely JShield, which uses novel opcode vulnerability signature, a deterministic finite automaton (DFA) with a variable pool at opcode level, to match drive-by download vulnerabilities. We investigate all the JavaScript engine vulnerabilities of web browsers from 2009 to 2014, as well as those of portable document files (PDF) readers from 2007 to 2014. JShield is able to match all of those vulnerabilities; furthermore, the overall evaluation shows that JShield is so lightweight that it only adds 2.39 percent of overhead to original execution as the median among top 500 Alexa web sites.

ZHANG Huilin,ZHUGE Jianwei,SONG Chengyu,HAN Xinhui,ZOO Wei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.009

2009-01-01

Abstract:A dynamic page view based drive-by download detection method was developed to address the challenge hidden drive-by downloads which abuse inline linking dynamics creation and obfuscation.The method uses a script engine to execute page scripts with tools to reveal the script's actions and inline linking identification mechanisms and rebuilds the dynamic page view of the visited page by recursively analyzing the inline pages.The system then detects drive-by downloads based on the rebuilt dynamic page view.Tests on a prototype based on the open-sourced PHoneyC framework to detect 89 drive-by download samples showed that single page views in this paper had a detection rate of 29.2%, static page views had a detection rate of 43.8%, and the dynamic page views had a detection rate of 70.8%.Thus, the dynamic detection method has a much higher detection rate.

Bingnan HOU,Yan? YU,Jiashun WU

2015-01-01

Journal of Computer Applications

Abstract:Malicious Web pages that host drive-by-download exploits have become the popular means for compromising hosts and creating botnets on the Internet. In drive-by-download exploits, attackers embed malicious JavaScript code into a Web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. This paper proposed a detection and analysis method of malicious JavasScript code based on pre-filter called JSFEA which suits for large-scale Web page detection. JSFEA used static analysis techniques to quickly examine a Web page for determining whether it”s suspicious or not. If it is determined suspicious then put it into dynamic detection. The study shows that JSFEA is able to reduce the load on a more costly dynamic analysis by more than 85%, with a low false positive rate.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

韩心慧,龚晓锐,诸葛建伟,邹磊,邹维

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.021

2011-01-01

Abstract:A frequent embedded subtree pattern-mining algorithm was developed based on observations of the URL link tree structure of drive-by-download attack scenarios to extract typical frequent embedded subtree patterns from a large library of scenarios collected in the wild.35 extracted patterns were used to change a subtree matching algorithm into a behavior-based dynamic detection method for drive-by-downloads.Tests show that the purely dynamic detection method missed about 20% of the drive-by-downloads identified using the subtree matching algorithm based on the extracted patterns.Therefore,the subtree matching algorithm partially solves the problem of missed drive-by-downloads.These common subtree patterns provide a way to classify and trace the sources of drive-by-download attacks.

Pablo Picazo-Sanchez,Juan Tapiador,Gerardo Schneider

DOI: https://doi.org/10.1007/s10207-019-00481-8

2019-08-06

Abstract:Browser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, Chrome's official extension repository has more than 63,000 extensions, with some of them having more than 10M users. When installed, extensions are pushed into an internal queue within the browser. The order in which each extension executes depends on a number of factors, including their relative installation times. In this paper, we demonstrate how this order can be exploited by an unprivileged malicious extension (i.e., one with no more permissions than those already assigned when accessing web content) to get access to any private information that other extensions have previously introduced. Our solution does not require modifying the core browser engine as it is implemented as another browser extension. We prove that our approach effectively protects the user against usual attackers (i.e., any other installed extension) as well as against strong attackers having access to the effects of all installed extensions (i.e., knowing who did what). We also prove soundness and robustness of our approach under reasonable assumptions.

Cryptography and Security

Alfredo De Santis,Giancarlo De Maio,Umberto Ferraro Petrillo

DOI: https://doi.org/10.48550/arXiv.1507.03467

2015-07-13

Cryptography and Security

Abstract:The web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast-pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the web. However, these advancements come at a price. The same technologies used to build responsive, pleasant and fully-featured web applications, can also be used to write web malware able to escape detection systems. In this article we present new obfuscation techniques, based on some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques go undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.

Wei-Feng ZHANG,Rui-Cheng LIU,Lei XU

DOI: https://doi.org/10.13328/j.cnki.jos.005495

2018-01-01

Abstract:Web Trojan is a form of attack that inserts an attacking script into the Web page,and by exploiting the vulnerabilities of browsers and their plug-ins,it causes the victim's system silently download and install malicious programs.Based on dynamic program analysis and machine learning method,this paper proposes a method of detecting Trojans based on dynamic behavior analysis.Firstly,the behaviors of the attack scripts on the landing page,including the dynamic function execution,the dynamic generation function execution,the script insertion,the page insertion and the URL jump,are monitored.Then these behaviors are extracted according to a set of rules.The associated string operation records are also processed as features.Next,for the use of heap malicious operation (the shellcode behavior),a feature indicating the heap risk is proposed.Finally,500 web samples from Alexa and VirusShare are collected as data sets,and a classifier is trained by machine learning method.The experimental results show that compared with the existing methods,the presented method has high accuracy (96.94％) and can effectively prevent interference of code obfuscation (lower false positive rate of 6.1％ and false negative rate of 1.3％).

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Shi Jingyan,Wu Kun,Zeng Qingkai,Lü Zhijun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.010

2006-01-01

Abstract:The existing methods for DDoS attacks prevention usually require the protected system to analyze the attack stream to find out the attackers.But the attack stream is easy to be hidden in the common stream,which makes all of these methods inefficient.A prevention method based on interaction activity is proposed under these circumstances.During the period of attacks,server communicats with the suspicious clients to determine the attackers.The prevention method is combined with the application environment,and a prevention model is established which consists of system monitor,attacker identification,access control and so on.Then the model is deployed in Apache Web server to testify the high performance of the method.

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

Min-Hao Wu,Fu-Hau Hsu,Jian-Hung Huang,Keyuan Wang,Yan-Ling Hwang,Hao-Jyun Wang,Jian-Xin Chen,Teng-Chuan Hsiao,Hao-Tsung Yang

DOI: https://doi.org/10.3390/electronics13173569

IF: 2.9

2024-09-09

Electronics

Abstract:In the late 20th century, computer viruses emerged as powerful malware that resides permanently in target hosts. For a virus to function, it must load into memory from persistent storage, such as a file on a hard drive. Due to the significant destructive potential of viruses, numerous defense measures have been developed to protect computer systems. Among these, antivirus software is one of the most recognized and widely used. Typically, antivirus solutions rely on static analysis (signature-based) technologies to detect infections in files stored on permanent storage devices, such as hard drives or USB (Universal Serial Bus) flash drives. However, a new breed of malware, fileless malware, has been designed to evade detection and enhance durability. Fileless malware resides solely in the memory of the target hosts, circumventing traditional antivirus software, which cannot access or analyze processes executed directly from memory. This study proposes the Check-on-Execution (CoE) kernel-based approach to detect fileless malware on Linux systems. CoE intervenes by suspending code execution before a program executes code from a process's writable and executable memory area. To prevent the execution of fileless malware, CoE extracts the code from memory, packages it with an ELF (Executable and Linkable Format) header to create an ELF file, and uses VirusTotal for analysis. Experimental results demonstrate that CoE significantly enhances a Linux system's ability to defend against fileless malware. Additionally, CoE effectively protects against shell code injection attacks, including buffer and memory overflows, and can handle packed malware. However, it is important to note that this study focuses exclusively on fileless malware, and further research is needed to address other types of malware.

engineering, electrical & electronic,computer science, information systems,physics, applied

JongHun Jung,Hwan-Kuk Kim,Soojin Yoon

DOI: https://doi.org/10.48550/arXiv.1502.03872

2015-02-13

Abstract:Recent web-based cyber attacks are evolving into a new form of attacks such as private information theft and DDoS attack exploiting JavaScript within a web page. These attacks can be made just by accessing a web site without distribution of malicious codes and infection. Script-based cyber attacks are hard to detect with traditional security equipments such as Firewall and IPS because they inject malicious scripts in a response message for a normal web request. Furthermore, they are hard to trace because attacks such as DDoS can be made just by visiting a web page. Due to these reasons, it is expected that they could result in direct damages and great ripple effects. To cope with these issues, in this article, a proposal is made for techniques that are used to detect malicious scripts through real-time web content analysis and to automatically generate detection signatures for malicious JavaScript.

Cryptography and Security

Li Zhang,Zhao Wang,Zhong Chen

DOI: https://doi.org/10.1109/isra.2012.6219174

2012-01-01

Abstract:Antivirus software is one of the most widely installed software for protecting computer from malicious attacks. However, traditional host-based antivirus needs to store all viruses' pattern or sample, which not only needs large local storage, but also fails to detect modern threats in time. The newly come cloud-based antivirus, which needs no extra local storage and compares virus' pattern on provider's cloud servers, has the disadvantages of being more likely to be attacked when offline. This paper advocates P2PAV, a new model for malware detection through P2P network, which takes advantages of traditional ones and cloud antivirus, reduces local storage, and meanwhile, improves the ability of detecting modern virus than traditional ways, and combating virus when offline than cloud-based antivirus.

Muhammad Saad,David Mohaisen

2023-04-26

Abstract:Cryptojacking is the permissionless use of a target device to covertly mine cryptocurrencies. With cryptojacking, attackers use malicious JavaScript codes to force web browsers into solving proof-of-work puzzles, thus making money by exploiting the resources of the website visitors. To understand and counter such attacks, we systematically analyze the static, dynamic, and economic aspects of in-browser cryptojacking. For static analysis, we perform content, currency, and code-based categorization of cryptojacking samples to 1) measure their distribution across websites, 2) highlight their platform affinities, and 3) study their code complexities. We apply machine learning techniques to distinguish cryptojacking scripts from benign and malicious JavaScript samples with 100\% accuracy. For dynamic analysis, we analyze the effect of cryptojacking on critical system resources, such as CPU and battery usage. We also perform web browser fingerprinting to analyze the information exchange between the victim node and the dropzone cryptojacking server. We also build an analytical model to empirically evaluate the feasibility of cryptojacking as an alternative to online advertisement. Our results show a sizeable negative profit and loss gap, indicating that the model is economically infeasible. Finally, leveraging insights from our analyses, we build countermeasures for in-browser cryptojacking that improve the existing remedies.

Cryptography and Security,Computers and Society,Machine Learning,Software Engineering

Xiang Ling,Zhiyu Wu,Bin Wang,Wei Deng,Jingzheng Wu,Shouling Ji,Tianyue Luo,Yanjun Wu

2024-07-03

Abstract:Given the remarkable achievements of existing learning-based malware detection in both academia and industry, this paper presents MalGuise, a practical black-box adversarial attack framework that evaluates the security risks of existing learning-based Windows malware detection systems under the black-box setting. MalGuise first employs a novel semantics-preserving transformation of call-based redividing to concurrently manipulate both nodes and edges of malware's control-flow graph, making it less noticeable. By employing a Monte-Carlo-tree-search-based optimization, MalGuise then searches for an optimized sequence of call-based redividing transformations to apply to the input Windows malware for evasions. Finally, it reconstructs the adversarial malware file based on the optimized transformation sequence while adhering to Windows executable format constraints, thereby maintaining the same semantics as the original. MalGuise is systematically evaluated against three state-of-the-art learning-based Windows malware detection systems under the black-box setting. Evaluation results demonstrate that MalGuise achieves a remarkably high attack success rate, mostly exceeding 95%, with over 91% of the generated adversarial malware files maintaining the same semantics. Furthermore, MalGuise achieves up to a 74.97% attack success rate against five anti-virus products, highlighting potential tangible security concerns to real-world users.

Cryptography and Security