Combining commercial consensus and community crowd-sourced categorization of web sites for integrity against phishing and other web fraud

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE) Pub Date : 2014-10-01 DOI:10.1109/MALWARE.2014.6999407

F. Leitold, A. Arrott, F. C. Osorio

{"title":"Combining commercial consensus and community crowd-sourced categorization of web sites for integrity against phishing and other web fraud","authors":"F. Leitold, A. Arrott, F. C. Osorio","doi":"10.1109/MALWARE.2014.6999407","DOIUrl":null,"url":null,"abstract":"Traditionally, the protection provided by 3rd party anti-Malware endpoint security products is measured using a sample set that is representative of the prevalent universe of attacks at that point in time (malicious URLs and/or malicious files in the world). The methodology used for such a selection of the Malware attack samples, the so-called Stimulus Workload (SW), has been a matter of controversy for a number of years. The reason is simple. Given a carefully crafted selection of such files or URLs, then, the results of the measurements can varied drastically favoring one vendor versus the other. In [1], Colon Osorio, et.al. argued that the selection process must be strictly regulated, and further, that such a selection must take into account the fact that amongst the samples selected, some pose a greater threat to users than others, as they are more widespread, and hence are more likely to affect a given user. Further, some Malware attack samples may only be found on specific websites, affect specific countries/regions, or only be relevant to a particular operating system version or interface languages (English, German, Chinese, and so forth). In [1], [2], the idea of a Customizable Stimulus Workloads, (CSW) was first suggested, whereas, the collection of samples selected as the Stimulus Workload is required to take into account all the elements described above. Within this context, CSWs are created by filtering attack samples base on prevalence, geographic regions, customer application environments, and other factors. Within the context of this methodology, in this manuscript we will pay special attention to one such specific application environment, primarily, Social Networks. With such a target environment in mind, a CSW was created and used to evaluate the performance of end-point security products. Basically, we examine the protection provided against Malware that uses internet Social Networks as part of the attack vector. When Social Network CSWs are used, together with differential metrics of effectiveness, we found that amongst the Social Networks studied (Facebook, Google+, and Twitter) the amount of inherent protection provided ranged from negligible to a level that we will call modest self-protection (0% to 18% prevention rate). Further, results of our evaluation showed that the supplemental protection provided by 3rd party anti-Malware products was erratic, ranging from a low of 0% to a high of 93% depending on the product and/or Social Network combination.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2014.6999407","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Traditionally, the protection provided by 3rd party anti-Malware endpoint security products is measured using a sample set that is representative of the prevalent universe of attacks at that point in time (malicious URLs and/or malicious files in the world). The methodology used for such a selection of the Malware attack samples, the so-called Stimulus Workload (SW), has been a matter of controversy for a number of years. The reason is simple. Given a carefully crafted selection of such files or URLs, then, the results of the measurements can varied drastically favoring one vendor versus the other. In [1], Colon Osorio, et.al. argued that the selection process must be strictly regulated, and further, that such a selection must take into account the fact that amongst the samples selected, some pose a greater threat to users than others, as they are more widespread, and hence are more likely to affect a given user. Further, some Malware attack samples may only be found on specific websites, affect specific countries/regions, or only be relevant to a particular operating system version or interface languages (English, German, Chinese, and so forth). In [1], [2], the idea of a Customizable Stimulus Workloads, (CSW) was first suggested, whereas, the collection of samples selected as the Stimulus Workload is required to take into account all the elements described above. Within this context, CSWs are created by filtering attack samples base on prevalence, geographic regions, customer application environments, and other factors. Within the context of this methodology, in this manuscript we will pay special attention to one such specific application environment, primarily, Social Networks. With such a target environment in mind, a CSW was created and used to evaluate the performance of end-point security products. Basically, we examine the protection provided against Malware that uses internet Social Networks as part of the attack vector. When Social Network CSWs are used, together with differential metrics of effectiveness, we found that amongst the Social Networks studied (Facebook, Google+, and Twitter) the amount of inherent protection provided ranged from negligible to a level that we will call modest self-protection (0% to 18% prevention rate). Further, results of our evaluation showed that the supplemental protection provided by 3rd party anti-Malware products was erratic, ranging from a low of 0% to a high of 93% depending on the product and/or Social Network combination.

查看原文本刊更多论文

结合商业共识和社区众包分类网站的完整性，防止网络钓鱼和其他网络欺诈

传统上，第三方反恶意软件端点安全产品提供的保护是使用一个样本集来衡量的，该样本集代表了当时流行的攻击范围(世界上的恶意url和/或恶意文件)。用于选择恶意软件攻击样本的方法，即所谓的刺激工作量(SW)，多年来一直是一个有争议的问题。原因很简单。如果对这些文件或url进行精心挑选，那么度量的结果可能会因不同的供应商而有很大的不同。在文献[1]中，Colon Osorio等。认为选择过程必须严格规范，而且，这种选择必须考虑到这样一个事实，即在所选择的样本中，有些样本对用户构成的威胁比其他样本更大，因为它们更广泛，因此更有可能影响到给定的用户。此外，一些恶意软件攻击样本可能只在特定的网站上发现，影响特定的国家/地区，或者只与特定的操作系统版本或界面语言(英语，德语，中文等)相关。在[1]、[2]中，首次提出了可定制刺激工作量(CSW)的概念，而作为刺激工作量的样本收集需要考虑上述所有要素。在此上下文中，csw是通过根据流行程度、地理区域、客户应用程序环境和其他因素过滤攻击样本来创建的。在这种方法的背景下，在本文中，我们将特别关注这样一个特定的应用环境，主要是社会网络。考虑到这样的目标环境，我们创建了CSW，并使用它来评估端点安全产品的性能。基本上，我们检查了针对使用互联网社交网络作为攻击向量的一部分的恶意软件提供的保护。当使用社交网络csw时，结合不同的有效性指标，我们发现在研究的社交网络(Facebook, Google+和Twitter)中，提供的固有保护数量范围从可忽略不计到我们称之为适度自我保护的水平(0%至18%的预防率)。此外，我们的评估结果显示，第三方反恶意软件产品提供的补充保护不稳定，根据产品和/或社交网络的组合，从低至0%到高至93%不等。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)

自引率

0.00%

发文量