Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots

Vadrevu, Phani; Liu, Jienan; Li, Bo; Rahbarinia, Babak; Lee, Kyu Hyoung; Perdisci, Roberto

doi:10.14722/ndss.2017.23100

Cited by 12 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These principles can also apply at the application level. In [45], the authors instrument the Chrome web browser to enable the logging and replay of the user action contexts, i.e., the document object model that contains web page objects and Javascript source code. By enabling the finer-grained logging of action contexts, these methodologies also allow the approximation of the contextual action causal dependency model.…”

Section: B Object State Snapshotsmentioning

confidence: 99%

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Xosanavongsa

Totel

Bettan

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

In order to supervise the security of a large infrastructure, the administrator deploys multiple sensors and intrusion detection systems on several critical places in the system. It is easier to explain and detect attacks if more events are logged. Starting from a suspicious event (appearing as a log entry), the administrator can start his investigation by manually building the set of previous events that are linked to this event of interest. Accordingly, the administrator attempts to identify links among the logged events in order to retrieve those that correspond to the traces of the attacker's actions in the supervised system; previous work is aimed at building these connections. In practice, however, this type of link is not trivial to define and discover. Hence, there is a real necessity to describe and define formally the semantics of these links in literature. In this paper, a clear definition of this relationship, called contextual event causal dependency, is introduced and proposed. The work presented in this paper aims at defining a formal model that would ideally unify previous work on causal dependencies among heterogeneous events. We define a relationship among events that enables the discovery of all events, which can be considered as the cause (in the past) or the effect (in the future) of an event of interest (e.g., an indicator of compromise, produced by an attacker action). This model is gradually introduced and defined by merging two previously defined causality models from the distributed system and operating system research areas (i.e., Lamport's and d'Ausbourg's). Our model takes into consideration heterogeneous events that emanate from different abstraction layers (e.g., network, system, and application) with the main objective of formally defining a causal relationship among logged events. Thereafter, we show how existing implementations separately allow the computation of parts of the model. Finally, we describe the implementation and assessment of the model according to real attacks on distributed environments and its accuracy to extract all causally linked events related to a given attack event trace.

show abstract

Section: B Object State Snapshotsmentioning

confidence: 99%

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Xosanavongsa

Totel

Bettan

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…web browser with the forensic engine named ChromePic [38], which could record and reconstruct the process of common web attacks based on Chromium. Jayasinghe et al proposed a novel dynamic approach to detect drive-by download attacks [1], and it can monitor the bytecode generated by a browser in real time with low performance overhead.…”

Section: Page Content Analysis Vadrevu Et Al Proposed a Newmentioning

confidence: 99%

Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous Programs

Pan

Zhuang

Sun

2019

Security and Communication Networks

View full text Add to dashboard Cite

Many famous attacks take web browsers as transmission channels to make the target computer infected by malwares, such as watering hole and domain name hijacking. In order to protect the data transmission, the SSL/TLS protocol has been widely used to defeat various hijacking attacks. However, the existence of such encryption protection makes the security software and devices confront with the difficulty of analyzing the encrypted malicious traffic at endpoints. In order to better solve this kind of situation, this paper proposes a new efficient and transparent method for large-scale automated TLS traffic analysis, named as hyper TLS traffic analysis (HTTA). It extracts multiple types of valuable data from the target system in the hyper mode and then correlates them to decrypt the network packets in real time, so that overall data correlation analysis can be performed on the target. Additionally, we propose an aided reverse engineering method to support the analysis, which can rapidly identify the target data in different versions of the program. The proposed method can be applied to the endpoints and cloud platforms; there are no trust risk of certificates and no influence on the target programs. Finally, the real experimental results show that the method is feasible and effective for the analysis, which leads to the lower runtime overhead compared with other methods. It covers all the popular browser programs with good adaptability and can be applied to the large-scale analysis.

show abstract

“…Then, an HTTP-based redirection takes the browser to a page on pressupdateforsafesoft[.]download. As we will see later, this page renders as shown in the screenshots of Figures 1c-1e (notice that while JSgraph does not log visual screenshots, this functionality could be easily implemented very efficiently with the approach used by ChromePic [43]). As the user clicks on the download button (see Figure 1d), this corresponds to clicking on an HTML anchor that navigates the browser to the pressbuttonforupdate[.…”

Section: B Motivating Examplementioning

confidence: 99%

“…One possible way would be to record, and later statically analyze, all the HTML and JavaScript content loaded by the browser during a time window that includes the attack. This could be done by recording all network traffic traces, or by using a lightweight system such as ChromePic [43]. However, understanding how the browser loaded, parsed, interpreted, and rendered the web content from network traces is notoriously hard [38].…”

Section: T Previous Workmentioning

confidence: 99%

JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions

Vadrevu

Lee

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

In this paper, we propose JSgraph, a forensic engine that is able to efficiently record fine-grained details pertaining to the execution of JavaScript (JS) programs within the browser, with particular focus on JS-driven DOM modifications. JSgraph's main goal is to enable a detailed, post-mortem reconstruction of ephemeral JS-based web attacks experienced by real network users. In particular, we aim to enable the reconstruction of social engineering attacks that result in the download of malicious executable files or browser extensions, among other attacks.We implement JSgraph by instrumenting Chromium's code base at the interface between Blink and V8, the rendering and JavaScript engines. We design JSgraph to be lightweight, highly portable, and to require low storage capacity for its fine-grained audit logs. Using a variety of both in-the-wild and lab-reproduced web attacks, we demonstrate how JSgraph can aid the forensic investigation process. We then show that JSgraph introduces acceptable overhead, with a median overhead on popular website page loads between 3.2% and 3.9%.

show abstract

Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots

Cited by 12 publications

References 14 publications

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Efficient and Transparent Method for Large-Scale TLS Traffic Analysis of Browsers and Analogous Programs

JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions

Contact Info

Product

Resources

About