2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

features. Table 2: Link popularity features (LPOP) No. Feature Type 1∼5 5 LPOPs of the URL Integer 6∼10 5 LPOPs of the domain Integer 11 Distinct domain link ratio Real 12 Max domain link ratio Real 13∼15 Spam, phishing and malware link ratio Real 3.3 Webpage Content Features Recent development of the dynamic webpage technology has been exploited by hackers to inject malicious code into webpages through importing and thus hiding exploits in webpage content. Therefore, statistical properties of client-side code in the Web content can be used as features to detect malicious webpages. To extract webpage content features (CONTs), we count the numbers of HTML tags, iframes, zero size iframes, lines, and hyperlinks in the webpage content. We also count the number for each of the following seven suspicious native JavaScript functions: escape(), eval(), link(), unescape(), exec(), link(), and search() functions. As suggested by a study of Hou et al. [18], these suspicious JavaScript functions are often used by attacks such as cross-site scripting and Web-based malware distribution. For example, unescape() can be used to decode an encoded shellcode string to obfuscate exploits. The counts of these seven suspicious JavaScript functions form features No. 6 to No. 12 in Table 3. The last feature in this table is the the sum of these function counts, i.e., the total count of these suspicious JavaScript functions. All the features in Table 3 are from the previous work [18]. Table 3: Webpage content features (CONT) No. Feature Type 1 HTML tag count Integer 2 Iframe count Integer 3 Zero size iframe count Integer 4 Line count Integer 5 Hyperlink count Integer 6∼12 Count of each suspicious JavaScript function Integer 13 Total count of suspicious JavaScript functions Integer The CONTs may not be effective to distinguish phishing websites from benign websites because a phishing website should have similar content as the authentic website it targets. However, this very nature of being sensitive to one malicious type but insensitive to other malicious types is very much desired in identifying the type of attack that a malicious URL attempts to launch. 3.4 DNS Features The DNS features are related to the domain name of a URL. Malicious websites tend to be hosted by less 4 reputable service providers. Therefore, the DNS information can be used to detect malicious websites. Ramachandran et al. [33] showed that a significant portion of spammers came from a relatively small collection of autonomous systems. Other types of malicious URLs are also likely to be hosted by disreputable providers. Therefore, the Autonomous System Number (ASN) of a domain can be used as a DNS feature. Table 4: DNS features (DNS) No. Feature Type 1 Resolved IP count Integer 2 Name server count Integer 3 Name server IP count Integer 4 Malicious ASN ratio of resolved IPs Real 5 Malicious ASN ratio of name server IPs Real All the five DNS features listed in Table 4 are novel features. The first is the number of IPs resolved for a URL’s domain. The second is the number of name servers that serves the domain. The third is the number of IPs these name servers are associated with. The next two features are related to ASN. As we have mentioned in Section 3.1, our method maintains a benign URL list and a malicious URL list. For each URL in the two lists, we record its ASNs of resolved IPs and ASNs of the name servers. For a URL, our method calculates hit counts for ASNs of its resolved IPs that matches the ASNs in the malicious URL list. In a similar manner, it also calculates the ASN hit counts using the benign URL list. Summation of malicious ASN hit counts and summation of benign ASN hit counts are used to estimate the malicious ASN ratio of resolved IPs, which is used as an a priori probability for the URL to be hosted by a disreputable service provider based on the precompiled URL lists. ASNs can be extracted from MaxMind’s database file [14]. 3.5 DNS Fluxiness Features A newly emerging fast-flux service network (FFSN) establishes a proxy network to host illegal online services with a very high availability [17]. FFSNs are increasingly employed by attackers to provide malicious content such as malware, phishing websites, and spam campaigns. To detect URLs which are served by FFSNs, we use the discriminative features proposed by Holz et al. [17], as listed in Table 5. Table 5: DNS fluxiness features (DNSF) No. Feature Type 1∼2 φ of NIP, NAS Real 3∼5 φ of NNS, NNSIP, NNSAS Real We lookup the domain name of a URL and repeat the DNS lookup after TTL (Time-To-Live value in a DNS packet) timeout given in the first answer to have consecutive lookups of the same domain. Let NIP and NAS be 128 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
the total number of unique IPs and ASNs of each IP, respectively, and NNS, NNSIP, NNSAS be the total number of unique name servers, name server IPs, and ASNs of the name server IPs in all DNS lookups. Then, we can estimate fluxiness using the acquired numbers. For example, fluxiness of the resolved IP address is estimated as follows, φ = NIP/Nsingle, where φ is the fluxiness of the domain and Nsingle is the number of IPs that a single lookup returns. Similarly, all of the other fluxiness features are estimated. 3.6 Network Features Attackers may try to hide their websites using multiple redirections such as iframe redirection and URL shortening. Even though also used by benign websites, the distribution of redirection counts of malicious websites is different from that of redirection counts of benign websites [31]. Therefore, redirection count can be a useful feature to detect malicious URLs. In a HTTP packet, there is a content-length field which is the total length of the entire HTTP packet. Hackers often set malformed (negative) content-length in their websites in a buffer overflow exploit. Therefore, content-length is used as a network discriminative feature. Benign sites tend to be more popular with a better service quality than malicious ones. Web technologies tend to make popular websites quick to look up and faster to download. In particular, benign domains tend to have a higher probability to be cached in a local DNS server than malicious domains, esp. those employing FFSNs and dynamic DNS. Therefore, domain lookup time and average download speed are also used as features to detect malicious URLs. The network features listed in Table 6 except the third and fifth features are novel features. Table 6: Network features (NET) No. Feature Type 1 Redirection count Integer 2 Downloaded bytes from content-length Real 3 Actual downloaded bytes Real 4 Domain lookup time Real 5 Average download speed Real 4 Evaluation In this section, we evaluate the performance of our method for both malicious URL detection and attack type identification. We also study the effectiveness of different groups of features. The main findings of our experiments include: • Link popularity. Link popularity first used in our method is highly discriminative for both malicious URL detection (over 96% accuracy) and attack type identification (over 84% accuracy). Google’s 5 search engine was not suitable to estimate link popularity since it reported just a partial list of link popularity. • Link distribution. Malicious URLs are mainly linked by malicious URLs of the same attack type: about 56% of malicious URLs were found to be linked only by the malicious URLs of the same attack type. • Multi-labels. In our collected malicious URLs, over 45% belong to multiple types of threat. Therefore, malicious URLs should be classified with a multi-label classification method in order to produce a more accurate result on the nature of attack. • Identification. Our method has achieved an accuracy rate of over 93% in attack type identification. It is worth mentioning that novel features used in our method including malicious SLD hit ratio in LEX, three malicious link ratios in LPOP, two malicious ASN ratios in DNS were found to be highly effective in distinguishing different attack types. 4.1 Methodology and Data Sets Real-life data was collected from various sources to evaluate our method: • Benign URLs. 40,000 benign URLs were collected from the following two sources as used in previous work [49, 43, 21, 22]: 1) randomly selected 20,000 URLs from the DMOZ Open Directory Project [10] (manually submitted by users), 2) randomly selected 20,000 URLs from Yahoo!’s directory (generated by visiting http://random. yahoo.com/bin/ryl) 3 . • Spam URLs. The spam URLs were acquired from jwSpamSpy [19] which is known as an e-mail spam filter for Microsoft Windows. We also used a publicly available Web spam dataset [3]. • Phishing URLs. The phishing URLs were acquired from PhishTank [29], a free community site where anyone can submit, verify, track and share phishing data. • Malware URLs. The malware URLs were obtained from DNS-BH [11], a project creates and maintains a list of URLs that are known to be used to propagate malware. The data set of malicious URLs is simply the union of the three individual data sets of malicious types. A total of 32,000 malicious URLs was collected. A malicious URL may launch multiple types of attack, i.e., belongs to multiple malicious types. The malicious data sets collected above were marked with only single labels. URLs 3 Many URLs from 1) and 2) did not have any sub-path. We adjusted the ratio of benign URLs with a sub-path to be half of benign URLs. <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 129
Page 1 and 2:
Proceedings of the 2nd</str
Page 3 and 4:
USENIX Association
Page 5:
WebApps ’11: 2nd
Page 9 and 10:
GuardRails: A Data-Centric Web Appl
Page 11 and 12:
Policy Annotation Only admins can d
Page 13 and 14:
@edit, price, false, :nothing To ma
Page 15 and 16:
tags in the Project description, bu
Page 17 and 18:
String Command Result "foobar".gsub
Page 19 and 20:
Transformation Status Homepage Logi
Page 21 and 22:
Abstract Ioannis Papagiannis Imperi
Page 23 and 24:
Num. of Occurrences Type Wordpress
Page 25 and 26:
Sanitisation htmlentities() functio
Page 27 and 28:
Original expression Transformed exp
Page 29 and 30:
non-tracking code with a simple str
Page 31 and 32:
Direct request vulnerabilities. The
Page 33 and 34:
Abstract Secure Data Preservers for
Page 35 and 36:
e found for a variety of services.
Page 37 and 38:
3.2 Operational View The lifecycle
Page 39 and 40:
it automatically). A user or servic
Page 41 and 42:
given the availability of client-si
Page 43 and 44:
can only be decrypted by the base l
Page 45 and 46:
BenchLab: An Open Testbed for Reali
Page 47 and 48:
2.2. Realistic load generation Real
Page 49 and 50:
virtual machine with the software s
Page 51 and 52:
the Olio calendaring applications (
Page 53 and 54:
able to match Firefox’s optimized
Page 55 and 56:
5.4.1. Local vs remote users We obs
Page 57 and 58:
Resource Provisioning of Web Applic
Page 59 and 60:
in a directed acyclic graph [3]. Th
Page 61 and 62:
accordingly. This is the goal of in
Page 63 and 64:
Although expressing performance pro
Page 65 and 66:
Response time (ms) Response time (m
Page 67 and 68:
Response time (ms) Response time (m
Page 69 and 70:
C3: An Experimental, Extensible, Re
Page 71 and 72:
HtmlParser CssParser IHtmlParser IC
Page 73 and 74:
node during construction. This immu
Page 75 and 76:
public interface IDOMTagFactory { I
Page 77 and 78:
3.2 JS execution Point (2): Runtime
Page 79 and 80:
Extensions IE: Available from C3-eq
Page 81:
extensions for web-scale use. The r
Page 84 and 85:
dangerous permissions. In compariso
Page 86 and 87: Permission Popular Unpopular Plug-i
Page 88 and 89: (a) Prevalence of Dangerous permiss
Page 90 and 91: its functionality to the permission
Page 92 and 93: y ACCESS COARSE LOCATION. 358 appli
Page 94 and 95: 7 Conclusion This study contributes
Page 96 and 97: 5 discusses the pros and cons of th
Page 98 and 99: the client is free to use them how
Page 100 and 101: data it uses RESTful API which in t
Page 102 and 103: On top of Django we are using a sma
Page 104 and 105: nal design. Moreover, when the whol
Page 106 and 107: [5] The spring framework. http://ww
Page 108 and 109: of strcpy can preclude the introduc
Page 110 and 111: Integer-valued Binary Stored XSS Re
Page 112 and 113: Java Perl PHP Number of programmers
Page 114 and 115: 0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117: 0 10 20 30 Number of Vulnerabilitie
Page 118 and 119: Automated black-box penetration tes
Page 121 and 122: Abstract Integrating Long Polling w
Page 123 and 124: the Web server, the framework dispa
Page 125 and 126: all() => [Record] filter(condition)
Page 127 and 128: in any future requests associated w
Page 129 and 130: ��
Page 131 and 132: quests to be put to sleep. For exam
Page 133 and 134: Abstract Detecting Malicious Web Li
Page 135: 3 Discriminative Features Our metho
Page 139 and 140: Table 8: Detection accuracy and tru
Page 141 and 142: centraldevideoscomhomensmaduros. bl
Page 143 and 144: Web content by executing the conten
Page 145 and 146: Maverick: Providing Web Application
Page 147 and 148: must schedule USB messages to provi
Page 149 and 150: priate Web driver. USB events sent
Page 151 and 152: hardware IDs to the browser kernel
Page 153 and 154: PhotoBooth latency JavaScript drive
Page 155 and 156: delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

Create successful ePaper yourself

Delete template?

Save as template?