DOI QR코드

DOI QR Code

ELPA: Emulation-Based Linked Page Map Analysis for the Detection of Drive-by Download Attacks

  • Choi, Sang-Yong (Cyber Security Research Center, Korea Advanced Institute of Science and Technology) ;
  • Kim, Daehyeok (School of Computing, Korea Advanced Institute of Science and Technology) ;
  • Kim, Yong-Min (Dept. of Electronic Commerce, Chonnam National University)
  • Received : 2015.01.28
  • Accepted : 2015.08.25
  • Published : 2016.09.30

Abstract

Despite the convenience brought by the advances in web and Internet technology, users are increasingly being exposed to the danger of various types of cyber attacks. In particular, recent studies have shown that today's cyber attacks usually occur on the web via malware distribution and the stealing of personal information. A drive-by download is a kind of web-based attack for malware distribution. Researchers have proposed various methods for detecting a drive-by download attack effectively. However, existing methods have limitations against recent evasion techniques, including JavaScript obfuscation, hiding, and dynamic code evaluation. In this paper, we propose an emulation-based malicious webpage detection method. Based on our study on the limitations of the existing methods and the state-of-the-art evasion techniques, we will introduce four features that can detect malware distribution networks and we applied them to the proposed method. Our performance evaluation using a URL scan engine provided by VirusTotal shows that the proposed method detects malicious webpages more precisely than existing solutions.

Keywords

References

  1. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, "The ghost in the browser analysis of web-based malware," in Proceedings of the 1st Conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007, pp. 1-9.
  2. European Union Agency for Network and Information Security, "ENISA Threat Landscape 2012", Jan. 2013; https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/ENISA_Threat_Landscape.
  3. F. Y. Rashid, "Department of labor website hacked to distribute malware," May 2013; http://www.securityweek. com/department-labor-website-hacked-distribute-malware.
  4. J. Pepitone, "NBC hack infects visitors in 'drive by' cyberattack," Feb. 2013; http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware/.
  5. E. Protalinski, "A first: Hacked sites with Android drive-by download malware," May 2012; http://www.zdnet.com/article/a-first-hacked-sites-with-android-drive-by-download-malware/.
  6. HAURI, "Malware analysis report of NateOn hacking" Aug. 2012; http://eyesray.tistory.com/attachment/cfile10.uf@1615E0564E3DDD17213F95.pdf
  7. G. Cluley, "DarkSeoul: SophosLabs identifies malware used in South Korean internet attack," Mar. 2013; http://nakedsecu rity.sophos.com/2013/03/20/south-korea-cyber-attack.
  8. ASEC, "Malware analysis report using 6.25 DDoS attack," Jun. 2013; http://asec.ahnlab.com/949.
  9. K. Z. Chen, G. Gu, J. Zhuge, J. Nazario, and X. Han, "WebPatrol: automated collection and replay of web-based malware scenarios," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, 2011, pp. 186-195.
  10. J. Ma, L. K. Saul, S. Savage, and G. M. Voelker, "Identifying suspicious URLs: an application of large-scale online learning," in Proceedings of the 26th Annual International Conference on Machine Learning, Montreal, Canada, 2009, pp. 681-688.
  11. J. Ma, L. K. Saul, S. Savage, and G. M. Voelker, "Beyond blacklists: learning to detect malicious web sites from suspicious URLs," in Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Paris, France, 2009, pp. 1245-1254.
  12. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, "All your iFRAMEs point to us," in Proceedings of 17th USENIX Security Symposium, San Jose, CA, 2008, pp. 1-16.
  13. A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy, "SpyProxy: execution-based detection of malicious web content," in Proceedings of 16th USENIX Security Symposium, Boston, MA, 2007, pp. 1-16.
  14. M. Cova, C. Kruegel, and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious JavaScript code," in Proceedings of the 19th International Conference on World Wide Web, Raleigh, NC, 2010, pp. 281-290.
  15. B. Genge and C. Enachescu, "ShoVAT: Shodan-based vulnerability assessment tool for Internet-facing services," Security and Communication Networks, 2015. http://dx.doi.org/10.1002/sec.1262.
  16. B. Genge and C. Enachescu, "Non-intrusive historical assessment of internet-facing services in the internet of things," MACRo, vo. 1, no. 1, pp. 25-36, 2015. https://doi.org/10.1021/ma60001a005
  17. VirusTotal, [Online]. Available: https://www.virustotal.com/.
  18. J. H. Kim, "Understanding of Javascript obfuscation," May 2008; http://image.ahnlab.com/file_upload/tech/javascript.pdf.
  19. S. Y. Choi, I. S. Kang, D. H. Kim, B. N. Noh, and Y. M. Kim, "Multi-level emulation for malware distribution networks analysis," Journal of the Korea Institute of Information Security & Cryptology, vol. 23, no. 6, pp. 1121-1129, 2013. https://doi.org/10.13089/JKIISC.2013.23.6.1121
  20. SpiderMonkey [Online]. Available: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.