EvilSeed: A Guided Approach to Finding Malicious Web Pages

Invernizzi, Luca; Comparetti, Paolo Milani; Benvenuti, S.; Kruegel, Christopher; Cova, Marco; Vigna, Giovanni

doi:10.1109/sp.2012.33

Cited by 133 publications

(75 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Also, the hit rate of our approach is the highest, which is around 4 times and 34 times as that of [22] and [23], respectively. This observation shows that our approach is more efficient and effective in discovering/collecting compromised websites, since our approach does not highly rely on the pre-selective keywords (pre-selective keywords typically lead to a low hit rate, which has also been verified by [19]), which are used by both existing approaches.…”

Section: Evaluation Resultssupporting

confidence: 56%

“…In such case, John et al [20] have similar ideas but target on a different problem, in which the authors propose a framework to find more malicious queries by generating regular expressions from a small set of malicious queries. In a recent concurrent study, EvilSeed [19] also shares similar inspiration but with different target and techniques. It searches the web for pages that are likely malicious by starting from a small set of malicious pages.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

Zhang

Yang

et al. 2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Through injecting dynamic script codes into compromised websites, attackers have widely launched search poisoning attacks to achieve their malicious goals, such as spreading spam or scams, distributing malware and launching drive-by download attacks. While most current related work focuses on measuring or detecting specific search poisoning attacks in the crawled dataset, it is also meaningful to design an effective approach to find more compromised websites on the Internet that have been utilized by attackers to launch search poisoning attacks, because those compromised websites essentially become an important component in the search poisoning attack chain. In this paper, we present an active and efficient approach, named PoisonAmplifier, to find compromised websites through tracking down search poisoning attacks. Particularly, starting from a small seed set of known compromised websites that are utilized to launch search poisoning attacks, PoisonAmplifier can recursively find more compromised websites by analyzing poisoned webpages' special terms and links, and exploring compromised web sites' vulnerabilities. Through our 1 month evaluation, PoisonAmplifier can quickly collect around 75K unique compromised websites by starting from 252 verified compromised websites within first 7 days and continue to find 827 new compromised websites on a daily basis thereafter.

show abstract

Section: Evaluation Resultssupporting

confidence: 56%

Section: Related Workmentioning

confidence: 99%

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

Zhang

Yang

et al. 2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

show abstract

“…Invernizzi et al [11] developed EvilSeed; it can more efficiently search the web for URLs that are likely malicious. Unlike other previous studies, Invernizzi et al leveraged search engines such as Google, Bing, and Yacy to find malicious URLs from vast web space.…”

Section: Non-machine Learning Approachesmentioning

confidence: 99%

“…The seeds fed to the search engine was different from Invernizzi et al's work [11]. They created seeds by changing the structure of existing malicious URLs' path.…”

Section: Non-machine Learning Approachesmentioning

confidence: 99%

Automating URL Blacklist Generation with Similarity Search Approach

Sun

Akiyama

Yagi

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYModern web users may encounter a browser security threat called drive-by-download attacks when surfing on the Internet. Drive-by-download attacks make use of exploit codes to take control of user's web browser. Many web users do not take such underlying threats into account while clicking URLs. URL Blacklist is one of the practical approaches to thwarting browser-targeted attacks. However, URL Blacklist cannot cope with previously unseen malicious URLs. Therefore, to make a URL blacklist effective, it is crucial to keep the URLs updated. Given these observations, we propose a framework called automatic blacklist generator (AutoBLG) that automates the collection of new malicious URLs by starting from a given existing URL blacklist. The primary mechanism of AutoBLG is expanding the search space of web pages while reducing the amount of URLs to be analyzed by applying several pre-filters such as similarity search to accelerate the process of generating blacklists. AutoBLG consists of three primary components: URL expansion, URL filtration, and URL verification. Through extensive analysis using a high-performance web client honeypot, we demonstrate that AutoBLG can successfully discover new and previously unknown drive-by-download URLs from the vast web space. key words: drive-by-download, URL blacklist, search space, machine learning, web client honeypot

show abstract

“…Comprehensive studies on content analysis have been proposed both for spam [30] and phishing sites [46,50]. Google is also performing phishing detection through content analysis [44], and researchers have used the search engine's index to identify scams campaigns with similar content [16]. In contrast, our system aims to identify the advanced phishing attacks that evade these content-based solutions, obfuscating their content to be resilient to static analyzers.…”

Section: Related Workmentioning

confidence: 99%

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Corbetta

Invernizzi

Kruegel

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. With JavaScript and images at their disposal, web authors can create content that is immediately understandable to a person, but is beyond the direct analysis capability of computer programs, including security tools. Conversely, information can be deceiving for humans even if unable to fool a program. In this paper, we explore the discrepancies between user perception and program perception, using content obfuscation and counterfeit "seal" images as two simple but representative case studies. In a dataset of 149,700 pages we found that benign pages rarely engage in these practices, while uncovering hundreds of malicious pages that would be missed by traditional malware detectors. We envision that this type of heuristics could be a valuable addition to existing detection systems. To show this, we have implemented a proofof-concept detector that, based solely on a similarity score computed on our metrics, can already achieve a high precision (95%) and a good recall (73%).

show abstract

EvilSeed: A Guided Approach to Finding Malicious Web Pages

Cited by 133 publications

References 14 publications

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

Automating URL Blacklist Generation with Similarity Search Approach

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Contact Info

Product

Resources

About