WebMon: ML- and YARA-based malicious webpage detection

Abstract

Attackers use the openness of the Internet to facilitate the dissemination of malware. Their attempts to infect target systems via the Web have increased with time and are unlikely to abate. In response to this threat, we present an automated, low-interaction malicious webpage detector, WebMon, that identifies invasive roots in Web resources loaded from WebKit2-based browsers using machine learning and YARA signatures. WebMon effectively detects hidden exploit codes by tracing linked URLs to confirm whether the relevant websites are malicious. WebMon detects a variety of attacks by running 250 containers simultaneously. In this configuration, the proposed model yields a detection rate of 98%, and is 7.6 times faster (with a container) than previously proposed models. Most importantly, WebMon’s focus on extracting malicious paths in a domain is a novel approach that has not been explored in previous studies.

Introduction

Since the initial development of Web browsers, there have been a growing number of attempts to infect online systems by transmitting malware through browsers. In this Web architecture, one malicious webpage can contaminate several thousand user PCs in minutes. Therefore, the concealment of malware on webpages is one of the most dangerous types of cyberattack, and poses a significant threat to the integrity of critical systems. More recent types of malware, such as ransomware, in conjunction with exploit toolkits, have evolved to become more complex, automated, and impossible to decrypt. Thus, detecting websites that propagate malware and developing techniques to neutralize them is crucial.

Malicious URLs that activate drive-by downloads are a popular form of exploitation and malware delivery. Hence, fast detection of malicious URLs is useful, because the URLs can then be distributed to blacklists maintained by various security systems. (At present, these databases might contain a great deal of outdated information.) Thus, rapidly finding malicious URLs from countless webpages, which are live only for very limited amounts of time, is a duty of security research.

Previous studies [1], [2], [3] have exposed limitations in the extraction of malicious URL paths within webpages–even if diverse malicious traces exist. Previous systems have shown the difficulty of detecting exploit kits (EKs) [1], and suffered from low performance [2] and unstable architectures [3]. High performance is especially important for detecting many malicious webpages because we cannot limitlessly increase our server capacity. The prevalent dynamic systems impose a significant processing burden, whereas static systems have low detection rates in browser-plugin-based attacks. In this circumstance, our approach provides effective architectural design that overcomes previous limitations.

In this paper, we propose a WebKit2- [4], machine learning (ML)-, and YARA-based [5] low-interaction webpage analyzer. Combining these components improves the functionality of state-of-the-art systems and classifies malicious redirects. The main contributions of this study are as follows:

• We propose a practical model using a WebKit2-, ML- and YARA-based framework for large-scale malicious webpage detection. This framework utilizes Docker containers and a multiserver architecture to provide a secure, scalable, and stable structure.

• We introduce WebMon, which is 7.6 times faster than conventional malicious webpage detection tools and has a detection rate of 98%; it can determine the maliciousness of 11.13 domains per second in single-server mode.

• We present a call tree algorithm that constructs a malicious URL redirection tree that enables us to clearly determine malicious paths.

The remainder of this paper is organized as follows: Section 2 presents related work and describes our research. Section 3 describes a variety of features that can be used for malware detection. Section 4 provides an overview of the proposed model. In Section 5, we explain the technical details of our implementation; then, we discuss the dataset used, the experimental setup, and our experimental results in Section 6. The limitations of our model and our conclusions are outlined in Section 7.