Efficient and effective realtime prediction of drive-by download attacks

Jayasinghe, Gaya K.; Culpepper, J. Shane; Bertók, Péter

doi:10.1016/j.jnca.2013.03.009

Cited by 23 publications

(12 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The evaluation showed that the false negative rates are under 5%, while false positive rates are under 0.03%. Jayasinghe et al [10] detected drive-by download attacks at runtime using lightweight dynamic analysis of the bytecode stream generated by a web browser during page content execution. They utilized naive Bayes, support vector machines (SVM) and decision tree as binary classifiers and SVM achieved the best score with almost 95% accuracy.…”

Section: Related Workmentioning

confidence: 99%

ZEKI: unsupervised zero-day exploit kit intelligence

Suren¹

2020

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

Over the last few years, exploit kits (EKs) have become the de facto medium for large-scale spread of malware.Drive-by download is the leading method that is widely used by EK flavors to exploit web-based client-side vulnerabilities.Their principal goal is to infect the victim's system with a malware. In addition, EK families evolve quickly, where they port zero-day exploits for brand new vulnerabilities that were never seen before and for which no patch exists. In this paper, we propose a novel approach for categorizing malware infection incidents conducted through EKs by leveraging the inherent "overall URL patterns" in the HTTP traffic chain. The proposed approach is based on the key finding that EKs infect victim systems using a specially designed chain, where EKs lead the web browser to download a malicious payload by issuing several HTTP requests to more than one malicious domain addresses. This practice in use enables the development of a system that is capable of clustering the responsible EK instances. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 93.7% clustering accuracy with the estimators experimented.

show abstract

Section: Related Workmentioning

confidence: 99%

ZEKI: unsupervised zero-day exploit kit intelligence

Suren¹

2020

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

show abstract

“…web browser with the forensic engine named ChromePic [38], which could record and reconstruct the process of common web attacks based on Chromium. Jayasinghe et al proposed a novel dynamic approach to detect drive-by download attacks [1], and it can monitor the bytecode generated by a browser in real time with low performance overhead. Studies based on the page content analysis fall on the next step of our research, and some can be integrated into the proposed framework in this paper.…”

Section: Page Content Analysis Vadrevu Et Al Proposed a Newmentioning

confidence: 99%

“…Web browsers are the important sources of malware to infect the target computers. For example, users download and install software bundled with malicious codes from the third-party website, or users encounter phishing attacks and access the fake page, or the web browser loads a web page with vulnerability exploitation codes and triggers the infection of malware [1]. Meanwhile, the incorrect con guration of legitimate applications may also cause the ex ltration of privacy data.…”

Section: Introductionmentioning

confidence: 99%

Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous Programs

Pan

Zhuang

Sun

2019

Security and Communication Networks

View full text Add to dashboard Cite

Many famous attacks take web browsers as transmission channels to make the target computer infected by malwares, such as watering hole and domain name hijacking. In order to protect the data transmission, the SSL/TLS protocol has been widely used to defeat various hijacking attacks. However, the existence of such encryption protection makes the security software and devices confront with the difficulty of analyzing the encrypted malicious traffic at endpoints. In order to better solve this kind of situation, this paper proposes a new efficient and transparent method for large-scale automated TLS traffic analysis, named as hyper TLS traffic analysis (HTTA). It extracts multiple types of valuable data from the target system in the hyper mode and then correlates them to decrypt the network packets in real time, so that overall data correlation analysis can be performed on the target. Additionally, we propose an aided reverse engineering method to support the analysis, which can rapidly identify the target data in different versions of the program. The proposed method can be applied to the endpoints and cloud platforms; there are no trust risk of certificates and no influence on the target programs. Finally, the real experimental results show that the method is feasible and effective for the analysis, which leads to the lower runtime overhead compared with other methods. It covers all the popular browser programs with good adaptability and can be applied to the large-scale analysis.

show abstract

“…Semi‐static analysis could be evaded by using code obfuscation or by rearranging the code . Some solutions have been proposed that make use of anomaly detection instead of simple pattern matching techniques, such as in and . They are based on a classifier that needs to be trained with a set of malicious and a set of benign samples, which allows to discern the set of features characterizing the execution of malicious code.…”

Section: Detecting Malicious Javascript Codementioning

confidence: 99%

Using HTML5 to prevent detection of drive‐by‐download web malware

Santis

Maio

Petrillo

2014

Security Comm Networks

View full text Add to dashboard Cite

The web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast-pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the web. However, these advancements come at a price. The same * This is the pre-peer reviewed version of the following article: Using HTML5 to Prevent show that the malware rewritten using our obfuscation techniques go undetected while being analyzed by a large number of detection systems.The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.

show abstract

Efficient and effective realtime prediction of drive-by download attacks

Cited by 23 publications

References 33 publications

ZEKI: unsupervised zero-day exploit kit intelligence

ZEKI: unsupervised zero-day exploit kit intelligence

Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous Programs

Using HTML5 to prevent detection of drive‐by‐download web malware

Contact Info

Product

Resources

About