Web 182-8585 1 5-1 m-shouta@uec.ac.jp,zetaka@computer.org Web Web URL Web Alexa Top 100 Web Validation of Web Alteration Detection using Link Change State in Web Page Shouta Mochizuki Tetsuji Takada The University of Electro-Communications. 1-5-1 Chofugaoka, Chofu, Tokyo 182-8585, JAPAN m-shouta@uec.ac.jp, zetaka@computer.org Abstract There are attacks targeted viewers by difficult Web page judgment of alteration. We have proposed a Web alteration detection method that focuses on the time change of the link URL in the Web page. However, it is untested for alteration detection capability of the proposed method. In this paper, in order to verify the effectiveness of the proposed method, we have an evaluation experiment targeted a Web page that collected the Alexa Top 100 as a starting point. Based on the experiment result, we discuss the effectiveness and future works of the proposed method. 1 Web 1 Drive-by Download Web ( ) () Drive-by Download ( Google Safe Browsing[2]) Web Web Web Web
URL client honeypot Drive-by Download [3, 6, 5] Drive-by Download Drive-by Download Drive-by Download honeyclient / Web Drive-by Download Web iframe script Web DOM URL DOM URL Web Web Alexa[9] Web 12414 URL Web URL 2 2.1 Stokes [5] WebCop ( ) WebCop 400,000 350,000 WebCop Web Web 2.2 Web Web Kevin [7] -- Web 2 DOM JavaScript DOM JavaScript [8] FCDBD FCDBD Drive-by Download Web 1 Web Web 3 3.1 Web Web Web Web
1: Google Chrome DOM URL Web Web script iframe URL DOM URL URL URL URL URL URL URL 3 3.2 1 Web Web Web
2: 3: URL URL URL URL Web URL URL URL 4 4.1 Web Web 1. Web URL 2. Web 3. 4. 3 VirusTotal 1 Web URL Web Alexa[9] Web Top 100 Web 100Web HTML HTML a href URL Top 100 URL100 12414 URL 2 Web Web Web 1 12414 URLs Web 2 Web URL URL URL Web Web 1 URL Web URL URL ( 1 ) Google Chrome Web Web Web Web Web DOM DOM 7 (, URL)
a, img, script, iframe, frame, form, param 7 ( 4 ) Web URL Web 2 2 1 2 1 3 2 URL Web 2 version Web 2 version or Web URL VirusTotal clean site not clean site clean VirusTotal URL clean site unrated site not clean site URL ( / ) (clean site/not clean site) 2 4 3 Web URL URL VirusTotal clean site not clean site URL Web URL 1 not clean site Web 4.2 4: 3 1 Web ( / ) (clean site/not clean site) 2 URL Web 4149 URLs(33.4%) Web URL VirusTotal 1635 URLs 2514 URLs ( 4 ) clean site False positive 5 5.1 Alexa Top 100 Web 1 URL Web Web Web Web Alexa
1: VirusTotal clean site 8172 URLs 66.5% 4114 URLs 33.5% 12286 URLs not clean site 93 URLs 72.7% 35 URLs 27.3% 128 URLs 8265 URLs 66.6% 4149 URLs 33.4% 12414 URLs 2: clean site 4114 URLs 2241 URLs 54.5% Web Web Web Web Web Web 1 URL Alexa Top 100 Web Web Web Web 5.2 False positive False positive Web 4 4 2514 URLs Web 5.2.1 False positive False positve URL Web False positive Adblock Plus[10] 2 2 54.5% False positive Drive-by Download Provos [3] Driveby Download Drive-by Download 5.2.2 False positive Web
Web a Web Web a img URL Web a img SQL href src JavaScript 2 a img a img a Web a a a title 5.3 False negative Web version Web Web Web False negative Web Web URL Web Web Web URL Web Web Web Web Web Web Web Web Web Web URL URL URL SNS URL URL URL URL Web URL URL
URL Web Web URL URL 6 Drive-by Download Web Web Web URL Web Alexa Top 100 Web 14114 URLs Web 2514 URLs a [1] Web 2014 CSS2014 2014 [2] Google Safe Browsing API, https://developers.google.com/ safe-browsing/, December 2014 [3] N. Provos, P. Mavrommatis, M. A. Rajab and F. Monrose All Your iframes Point to Us, Proc. of the 17th USENIX Security Symposium, pp. 115, 2008. [4] Marco Cova, Christopher Kruegel, and Giovanni Vigna Detection and analysis of drive-by-download attacks and malicious javascript code. Proc of the 19th International Conference on World Wide Web, WWW 10, pages 281 290, 2010 [5] J. W. Stokes, R. Andersen, C. Seifert and K.Chellapilla WebCop: Locating Neighborhoods of Malware on the Web, Proc. 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 2010), 2010 [6] J. Zhang, C. Seifert, J. W. Stokes and W. Lee ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads, Proc. 20th International World Wide Web Conference(WWW2011), 2011 [7] Kevin Borgolte Christopher Kruegel Giovanni Vigna Automatic Identification of Unknown Web-based Infection Campaigns Proc. of the 2013 ACM SIGSAC conference on Computer & communications security 2013 [8] Drive-by Download Web CSEC 2015-CSEC-68 Vol 2015 No 48 2015 [9] Alexa: Actionable Analytics for the Web <http://www.alexa.com>( 2015-07-01) [10] Adblock Plus <https: //adblockplus.org/> 2015-08- 10 [11] VirusTotal <https://www. virustotal.com/> 2015-08-20 [12] IPA! <http://www. ipa.go.jp/files/000024628.pdf> 2015-08-20