Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

Size: px

Start display at page:

Download "Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University"

Felicity Brown
5 years ago
Views:

1 Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University 1

2 Outline Background Related Work Purpose Method Experiment Results Conclusion & Future Work 2

3 Background Drive-by-Download Attack Infects computers while users do not notice it Popular Website we always access become m alicious website To defend attacks is difficult The threat of attack has been increasing[1] 3

4 Background Drive-by-Download Attack Injection page Redirector Exploit page (2)redirect Vulnerability (1)access (3)attack (4)download Malware page Fig. 1:Drive-by-Download Attack 4

5 Background A variety of ideas by attackers Delete the Referer field Obfuscation of javascript Not to be detected by signature matching Spoofing the Content-Type Embed an executable file into image file Difficult to detect 5

6 Related Work Detection method based on HTTP headers [2] Dangerous type: pdf, swf, java, executable X-Powered-By Time interval TPR: 80% FPR: 7.4% 6

7 Weak Point of Related Work Critical Parameter: short transition time Focus on dangerous types Use only exploit page There is room for improvement in TPR and FPR 7

8 Purpose Detecting Drive-by-Download Attacks ü Specific features at each stage of an attack ü Combine several detection mechanisms Redirector Exploit page Malware page Fig. 2: About of method 8

9 Method:1/3 For text files Try to detect redirectors If a text file satisfies at least one of the following conditions, it is judged as malignant There is an X-Powered-By field in the HTTP header, and there is a string of eval, slice,or iframe in HTTP data The User-Agent field has a string of Java 9

10 Method:2/3 For executable files definition of executable files Table1: Executable files format Content-Type application/octet-download application/x-ms-download application/download application/x-msdos-download 10

11 Method:2/3 For executable files Try to detect exploit page If an executable file satisfies at least one of the following conditions, it is judged as malignant There is X-Powered-By field in the HTTP header There is Content-Disposition field in the HTTP header, and the value of this field is inline 11

12 Method:3/3 IP filtering If a malicious file is detected by the previous two detection mechanisms, the IP address is put into a blacklist HTTP communication with the registered IP address is classified as malicious 12

13 Experiment Dataset Malicious D3M2012 to D3M2015 Collected by Marionette[3] Provided by NTT secure platform Laboratories Threatglass Provided by Barracuda Labs 13

14 Experiment Dataset Benign Capture packets on a campus network filtering the packets under the conditions The HTTP header satisfies at least one of the following There is no Accept field User-Agent does not include Mozilla or Opera User-Agent includes strings reminiscent of the bot api, application, bat, bot, crawl, exe, hunny, pot, program 14

15 Experiment Prepare for the experiment Estimation of the redirect structure Assemble an attack from the packets 15

16 Experiment Estimation of Redirect structure 1/2 Referer URL ü If there is a Referer field in HTTP header, the URL indicates the page before the transition Location URL ü If there is a Location field in HTTP header, the URL indicates the page after the transition 16

17 Experiment Estimation of Redirect structure 2/2 URL String ü If there is an URL String in HTTP data, this URL indicates the page after the transition IP Address ü others 17

18 Experiment Experiment 1: for malicious dataset the performance rate ü whether preventing a malware download or not A B C D E F Fig. 3: the performance rate G 18

19 Results Experiment 1: for malicious dataset TPR: 87.8% Table2: Result of experiment 1 Dataset Prevention Number of Data D3M D3M D3M D3M Threatglass Total

20 Results False Negative Example Spoofing the Content-Type Content-Type is an image file, but it has a PE file format There is still a room for improvement 20

21 Results Experiment 2: for benign dataset To apply the proposed method to dataset Table3: Result of experiment 2 Content-Type False Positive Number of Data FPR [%] Text Executable All

22 Results False Positive Example Most errors are caused by iframe User-Agent parameter does not make an error Many advertising result in false positive Ads that do not cause malware download is benign 22

23 Conclusion & Future Works Try to prevent malware download Focus on the structure of Drive-by-Download attacks Real-time detection during web-browsing Future Works Estimation of Redirect structure Verification by various dataset 23

24 Thank you for your attention 24

25 Supplement 25

26 References [1] JPCERT. (2013, June.). Attention on the site falsification. JPCER T. Available: [2] Hiroaki Sakai, Ryoichi Sasaki, Proposal of detection method bas ed on HTTP headers against Drive by Download Attack, JPSJ, Vol DPS-154, No.29, pp.1-6, March [3] Ranking of the popular sites of Japan: 26

27 X-Powered-By Version of PHP Optional field Feature of attacks[2] Table4: Comparison with the general web sites D3M2012 benign[3] Top 100 Top % (29/40) 6.0% (6/100) 9.0% (27/300) 27

28 Content-Disposition Setting inline or attachment inline: display on the browser attachment: pop up download dialog 28

29 Estimation Error settimeout (javascript) Calls a function or executes a code snippet after a specified delay URL string that does not cause the page transition 29

FREE ONLINE WEBSITE MALWARE SCANNER WEBSITE SECURITY

FREE ONLINE WEBSITE MALWARE SCANNER WEBSITE SECURITY PDF 11 AWESOME TOOLS FOR WEBSITE MALWARE SCANNING FREE ONLINE WEBSITE SECURITY 1 / 5 2 / 5 3 / 5 website malware scanner pdf Qualys Malware Detection helps you to scan continuously for malware against