Detecting and Preventing Drive-By Download Attack via Participative Monitoring of the Web

2013 Eighth Asia Joint Conference on Information Security Pub Date : 2013-07-25 DOI:10.1109/ASIAJCIS.2013.15

T. Matsunaka, J. Urakawa, A. Kubota

{"title":"Detecting and Preventing Drive-By Download Attack via Participative Monitoring of the Web","authors":"T. Matsunaka, J. Urakawa, A. Kubota","doi":"10.1109/ASIAJCIS.2013.15","DOIUrl":null,"url":null,"abstract":"Drive-by Download Attack (DBD) is one of the major threats on the web infrastructure. DBD attacks are triggered by user access to a malicious website and force users to download malware by exploiting the vulnerabilities of web browsers or plugins. Malicious websites are ephemeral. Therefore, it is necessary to gather fresh information related to malicious activities to detect and prevent such attacks. In this paper, we propose a framework that combats with DBD attacks with users' voluntary monitoring of the web. This framework tackles the two issues: ways to obtain up-to-date information related malicious activities and ways to provide up-to-date information to the world. The framework aims to realize a security ecosystem: users actively offer information about their activities on the web (e.g. access URL, download contents), and security analysts inspect the information to detect new threats and devise countermeasures for any new threats and then provide the countermeasures to users as feedback. The framework consists of sensors located on the user side and a centralized center located on the network side. Sensors are deployed in the web browser, in web proxies, and DNS servers. Sensors monitors the access URLs download contents, the method of triggering the link events (e.g. mouse click, move, redirected by the server), then the sensors report the data to the center. The center analyzes the data, derives the statistical data and the web link structure, and detects new threats by facilitating the characteristics of malicious web pages. This paper also shows a real world example that demonstrates the potential of our framework. The example implies that our focus on the change of the web link structure can detect illegal falsification of web pages. Our framework can obtain long-term data on how many hosts users are forced to access by the access of a web page, so we believe that our framework can distinguish legitimate changes in web pages with compromised changes.","PeriodicalId":286298,"journal":{"name":"2013 Eighth Asia Joint Conference on Information Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2013-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 Eighth Asia Joint Conference on Information Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ASIAJCIS.2013.15","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Drive-by Download Attack (DBD) is one of the major threats on the web infrastructure. DBD attacks are triggered by user access to a malicious website and force users to download malware by exploiting the vulnerabilities of web browsers or plugins. Malicious websites are ephemeral. Therefore, it is necessary to gather fresh information related to malicious activities to detect and prevent such attacks. In this paper, we propose a framework that combats with DBD attacks with users' voluntary monitoring of the web. This framework tackles the two issues: ways to obtain up-to-date information related malicious activities and ways to provide up-to-date information to the world. The framework aims to realize a security ecosystem: users actively offer information about their activities on the web (e.g. access URL, download contents), and security analysts inspect the information to detect new threats and devise countermeasures for any new threats and then provide the countermeasures to users as feedback. The framework consists of sensors located on the user side and a centralized center located on the network side. Sensors are deployed in the web browser, in web proxies, and DNS servers. Sensors monitors the access URLs download contents, the method of triggering the link events (e.g. mouse click, move, redirected by the server), then the sensors report the data to the center. The center analyzes the data, derives the statistical data and the web link structure, and detects new threats by facilitating the characteristics of malicious web pages. This paper also shows a real world example that demonstrates the potential of our framework. The example implies that our focus on the change of the web link structure can detect illegal falsification of web pages. Our framework can obtain long-term data on how many hosts users are forced to access by the access of a web page, so we believe that our framework can distinguish legitimate changes in web pages with compromised changes.

查看原文本刊更多论文

通过参与式Web监控检测和防止驱动下载攻击

驱动下载攻击(DBD)是web基础设施面临的主要威胁之一。DBD攻击是指用户访问恶意网站，利用浏览器或插件的漏洞，强迫用户下载恶意软件。恶意网站是短暂的。因此，有必要收集与恶意活动相关的最新信息，以检测和防止此类攻击。在本文中，我们提出了一个通过用户自愿监控web来对抗DBD攻击的框架。这个框架解决了两个问题:获取与恶意活动相关的最新信息的方法，以及向世界提供最新信息的方法。该框架旨在实现一个安全生态系统:用户在网络上主动提供有关其活动的信息(例如访问URL、下载内容)，安全分析师对这些信息进行检查，发现新的威胁，并针对任何新的威胁设计对策，然后将对策作为反馈提供给用户。该框架由位于用户端的传感器和位于网络端的集中式中心组成。传感器部署在web浏览器、web代理和DNS服务器中。传感器监控访问url的下载内容，触发链接事件的方法(如鼠标点击、移动、由服务器重定向)，然后传感器将数据报告给中心。该中心对数据进行分析，导出统计数据和web链接结构，并利用恶意网页的特征来检测新的威胁。本文还展示了一个真实世界的示例，该示例演示了我们框架的潜力。这个例子说明，我们关注网页链接结构的变化可以检测到网页的非法伪造。我们的框架可以获得关于用户通过访问网页而被迫访问多少主机的长期数据，因此我们相信我们的框架可以区分网页中的合法更改和折衷更改。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 Eighth Asia Joint Conference on Information Security

自引率

0.00%

发文量