Trends in Circumventing Web-Malware Detection
description
Transcript of Trends in Circumventing Web-Malware Detection
![Page 1: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/1.jpg)
Trends in Circumventing Web-Malware Detection
UTSA
Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis,Daisuke Nojiri, Niels Provos, Ludwig Schmidt
Present by Li Xu
![Page 2: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/2.jpg)
2
Detecting Malicious Web Sites
Which pages are safe URLs for
end users?
• Safe URL?• Web exploit?• Spam-advertised site?• Phishing site?
URL = Uniform Resource Locator
http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll
http://fblight.com
http://mail.ru
http://www.sigkdd.org/kdd2009/index.html
This page is reference to Justin Ma’s slides
![Page 3: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/3.jpg)
3
Problem in a Nutshell
Different classes of URLs Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious
facebook.com fblight.com
This page is reference to Justin Ma’s slides
![Page 4: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/4.jpg)
4
State of the Practice
Current approaches– Virtual Machine Honeypots.– Browser Emulation.– Reputation Based Detection.– Signature Based Detection.
Arms race
How does adversaries respond & what techniques have been
used to bypass detection.
![Page 5: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/5.jpg)
5
Google System
![Page 6: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/6.jpg)
6
Data Collection
Data Set I, is the data that is generated by ouroperational pipeline, i.e., the output of PageScorer. It was generated by processing 1.6 billion distinct web ∼pages collected be-tween December 1, 2006 and April 1, 2011.
Data Set II,sample pages from data set I suspicious1% of other “non- suspicious” pages uniformly at random from the same time period. rescore the original HTTP responses a fixed version of PageScorer
![Page 7: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/7.jpg)
7
![Page 8: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/8.jpg)
8
Attacks on client honeypot
![Page 9: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/9.jpg)
9
Exploits encountered on the web
![Page 10: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/10.jpg)
10
Javascript funtion calls
![Page 11: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/11.jpg)
11
DOM fuctions
![Page 12: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/12.jpg)
12
Malware distribution chain length
![Page 13: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/13.jpg)
13
Cloaking sites & 2 methods comparation
![Page 14: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/14.jpg)
14
2 methods comparation
![Page 15: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/15.jpg)
15
![Page 16: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/16.jpg)
16
Social Engineering is growing and poses challenges to VM-based honeypots
JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines.
AV Engines also suffer significantly from both false positives and false negatives.
Finally, we see a rise in IP cloaking to thwart content-based detection schemes
Summary
![Page 17: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/17.jpg)
17
As our analysis is based on sites rather than individual web pages, we compute theaverage value for sites on which we encounter multiple web pages in a given month.
Granularity
![Page 18: Trends in Circumventing Web-Malware Detection](https://reader035.fdocuments.us/reader035/viewer/2022062218/56816735550346895ddbe257/html5/thumbnails/18.jpg)
UTSA
Thank YouLI XU