Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

HARMUR: Storing and

HARMUR: Storing and Analyzing Historic Data on Malicious Domains Corrado Leita Symantec Research Labs Sophia Antipolis, France corrado_leita@symantec.com ABSTRACT A large amount of work has been done to develop tools and techniques to detect and study the presence of threats on the web. This includes, for instance, the development of a variety of different client honeypot techniques for the detection and study of drive-by downloads, as well as the creation of blacklists to prevent users from visiting malicious web pages. Due to the extent of the web and the scale of the problem, existing work typically focuses on the collection of information on the current state of web pages and does not take into account the temporal dimension of the problem. In this paper we describe HARMUR, a security dataset developed in the context of the WOMBAT project that aims at exploring the dynamics of the security and contextual information associated to malicious domains. We detail the design decisions that have led to the creation of an easily extensible architecture, and describe the characteristics of the underlying dataset. Finally, we demonstrate through examples the value of the collected information, and the importance of tracking the evolution of the state of malicious domains to gather a more complete picture on the threat landscape. 1. INTRODUCTION The Internet threat scenario is extremely diverse and is in continuous evolution. In the last years, we have witnessed a partial shift of attention from server-side attacks to client-side ones. An increasingly popular vector for malware propagation leverages the web to propagate to victim hosts through their interaction with client software (i.e. web browsers). For instance, in the so-called drive-by downloads, the user is infected by simply visiting a malicious web-page, or a benign web-page modified by malicious actors to redirect client traffic towards exploit-distribution servers [16]. Drive-by downloads are responsible for the spread of most ∗ The work of Marco Cova was supported by the Symantec Research Labs Graduate Fellowship Program. 44 Marco Cova ∗ School of Computer Science University of Birmingham Birmingham, United Kingdom m.cova@cs.bham.ac.uk of the recent malware infections, such as the Torpig botnet [18] or the Hydraq trojan [20]. Similarly to what has been done in the past for server-site attacks, researchers have studied solutions to identify these threats, both to protect users and to quantify the extension of the phenomenon. This has been mainly achieved by crawling the web or by visiting suspicious URLs and then analyzing the discovered web content to detect exploits. A variety of client honeypots with different characteristics has been proposed in the literature [9, 14, 17, 21, 23, 26]. However, the problem to be tackled by these techniques profoundly differs from that previously addressed for the analysis of server-side threats. A tool that has been widely used for the collection of data on server-side threats is that of the honeypots, network hosts with no specific function other than interacting with malicious actors scanning their network. While server-side honeypots are by definition passive systems, that react to traffic initiated by malicious actors or infected hosts, client-side honeypots are active components that need to be driven towards a URL in order to assess its maliciousness. This difference in operational pattern has important impacts on the collection of data on client side threats: 1. By simply waiting for incoming activities, a server-side honeypot has immediate visibility on the temporal evolution of an infection. Previous work has underlined the importance of looking at the threat dynamics to correlate apparently dissimilar activities [12] and to understand the propagation of a malware infection [2]. Information on the temporal evolution of client-side threats is much more challenging to obtain, since it requires to actively reconsider previous analyses on a regular basis. 2. No legitimate activity should ever be generated towards a server-side honeypot. Aside from traffic generated as a consequence to misconfigurations, most of the traffic targeting a honeypot is likely to have a malicious nature. The challenge in the analysis of such traffic consists of characterizing the type of activity, for instance by employing techniques able to discern code injections from lower impact activities [1, 7, 13]. Conversely, the security state of a URL analyzed by different client honeypots is much more difficult to assess. The URL may exhibit different characteristics

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
Top 10 Project Management Trends for 2011 from ESI International