Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web最新文献

筛选

英文中文

FP-Crawlers: Studying the Resilience of Browser Fingerprinting to Block Crawlers fp -爬虫:研究浏览器指纹阻止爬虫的弹性

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web Pub Date : 2020-02-23 DOI: 10.14722/madweb.2020.23010

Antoine Vastel, Walter Rudametkin, Romain Rouvoy, Xavier Blanc

{"title":"FP-Crawlers: Studying the Resilience of Browser Fingerprinting to Block Crawlers","authors":"Antoine Vastel, Walter Rudametkin, Romain Rouvoy, Xavier Blanc","doi":"10.14722/madweb.2020.23010","DOIUrl":"https://doi.org/10.14722/madweb.2020.23010","url":null,"abstract":"Data available on the Web, such as financial data or public reviews, provides a competitive advantage to companies able to exploit them. Web crawlers, a category of bot, aim at automating the collection of publicly available Web data. While some crawlers collect data with the agreement of the websites being crawled, most crawlers do not respect the terms of service. CAPTCHAs and approaches based on analyzing series of HTTP requests classify users as humans or bots. However, these approaches require either user interaction or a significant volume of data before they can classify the traffic. \u0000 \u0000In this paper, we study browser fingerprinting as a crawler detection mechanism. We crawled the Alexa top 10K and identified 291 websites that block crawlers. We show that fingerprinting is used by 93 (31.96%) of them and we report on the crawler detection techniques implemented by the major fingerprinters. Finally, we evaluate the resilience of fingerprinting against crawlers trying to conceal themselves. We show that although fingerprinting is good at detecting crawlers, it can be bypassed with little effort by an adversary with knowledge on the fingerprints collected.","PeriodicalId":408238,"journal":{"name":"Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-02-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117012740","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 41

Shepherd: a Generic Approach to Automating Website Login Shepherd:自动化网站登录的通用方法

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web Pub Date : 1900-01-01 DOI: 10.14722/madweb.2020.23008

H. Jonker, S. Karsch, Benjamin Krumnow, Marc Sleegers

{"title":"Shepherd: a Generic Approach to Automating Website Login","authors":"H. Jonker, S. Karsch, Benjamin Krumnow, Marc Sleegers","doi":"10.14722/madweb.2020.23008","DOIUrl":"https://doi.org/10.14722/madweb.2020.23008","url":null,"abstract":"To gauge adoption of web security measures, largescale testing of website security is needed. However, the diversity of modern websites makes a structured approach to testing a daunting task. This is especially a problem with respect to logging in: there are many subtle deviations in the flow of the login process between websites. Current efforts investigating login security typically are semi-automated, requiring manual intervention which does not scale well. Hence, comprehensive studies of post-login areas have not been possible yet. In this paper, we introduce Shepherd, a generic framework for logging in on websites. Given credentials, it provides a fully automated attempt at logging in. We discuss various design challenges related to automatically identifying login areas, validating correct logins, and detecting incorrect credentials. The tool collects data on successes and failures for each of these. We evaluate Shepherd’s capabilities to login on thousands of sites, using unreliable, legitimately crowd-sourced credentials for a random selection from the Alexa Top websites list. Notwithstanding parked domains, invalid credentials, etc., Shepherd was able to automatically log in on 7,113 sites from this set, an order of magnitude beyond previous efforts at automating login.","PeriodicalId":408238,"journal":{"name":"Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"97 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133577409","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 10

Building Robust Phishing Detection System: an Empirical Analysis 构建稳健的网络钓鱼检测系统:实证分析

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web Pub Date : 1900-01-01 DOI: 10.14722/madweb.2020.23007

Jehyun Lee, Pingxiao Ye, Ruofan Liu, D. Divakaran, M. Chan

{"title":"Building Robust Phishing Detection System: an Empirical Analysis","authors":"Jehyun Lee, Pingxiao Ye, Ruofan Liu, D. Divakaran, M. Chan","doi":"10.14722/madweb.2020.23007","DOIUrl":"https://doi.org/10.14722/madweb.2020.23007","url":null,"abstract":"To tackle phishing attacks, recent research works have resorted to the application of machine learning (ML) algorithms, yielding promising results. Often, a binary classification model is trained on labeled datasets of benign and phishing URLs (and contents) obtained via crawling. While phishing classifiers have high accuracy (precision and recall), they, however, are also prone to adversarial attacks wherein an adversary tries to evade the ML-based classifier by mimicking (feature values of) benign web pages. Based on this observation, in our work, we propose a simple approach to build a robust phishing page detection system. Our detection system, based on voting, employs multiple models, such that each model is trained by inserting (controlled) noises in a subset of randomly selected features from the full feature set. We conduct comprehensive experiments using real datasets, and based on a number of evasive strategies, evaluate the robustness of, both, the traditional native ML model and our proposed detection system. The results demonstrate that our proposed system, on one hand, performs close to the native model when there is no adversarial attack, and on the other hand, is more robust against evasion attacks than the native model.","PeriodicalId":408238,"journal":{"name":"Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127706108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 15