1 / 18

Trends in Circumventing Web-Malware Detection

Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt Present by Li Xu. UTSA. Detecting Malicious Web Sites. URL = Uniform Resource Locator

enid
Download Presentation

Trends in Circumventing Web-Malware Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trends in Circumventing Web-Malware Detection Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt Present by Li Xu UTSA

  2. Detecting Malicious Web Sites URL = Uniform Resource Locator http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll http://fblight.com http://mail.ru http://www.sigkdd.org/kdd2009/index.html • Safe URL? • Web exploit? • Spam-advertised site? • Phishing site? Which pages are safe URLs for end users? This page is reference to Justin Ma’s slides

  3. Problem in a Nutshell • Different classes of URLs • Benign, spam, phishing, exploits, scams... • For now, distinguish benign vs. malicious facebook.com fblight.com This page is reference to Justin Ma’s slides

  4. State of the Practice • Current approaches • Virtual Machine Honeypots. • Browser Emulation. • Reputation Based Detection. • Signature Based Detection. • Arms race How does adversaries respond & what techniques have been used to bypass detection.

  5. Google System

  6. Data Collection Data Set I, is the data that is generated by our operational pipeline, i.e., the output of PageScorer. It was generated by processing ∼1.6 billion distinct web pages collected be- tween December 1, 2006 and April 1, 2011. Data Set II, sample pages from data set I suspicious 1% of other “non- suspicious” pages uniformly at random from the same time period. rescore the original HTTP responses a fixed version of PageScorer

  7. Attacks on client honeypot

  8. Exploits encountered on the web

  9. Javascript funtion calls

  10. DOM fuctions

  11. Malware distribution chain length

  12. Cloaking sites & 2 methods comparation

  13. 2 methods comparation

  14. Summary Social Engineering is growing and poses challenges to VM-based honeypots JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines. AV Engines also suffer significantly from both false positives and false negatives. Finally, we see a rise in IP cloaking to thwart content-based detection schemes

  15. Granularity As our analysis is based on sites rather than individual web pages, we compute the average value for sites on which we encounter multiple web pages in a given month.

  16. Thank You LI XU UTSA

More Related