ABSTRACT
We present ADSandbox, an analysis system for malicious websites that focusses on detecting attacks through JavaScript. Since, in contrast to Java, JavaScript does not have any built-in sandbox concept, the idea is to execute any embedded JavaScript within an isolated environment and log every critical action. Using heuristics on these logs, ADSandbox decides whether the site is malicious or not. In contrast to previous work, this approach combines generality with usability, since the system is executed directly on the client running the web browser before the web page is displayed. We show that we can achieve false positive rates close to 0% and false negative rates below 15% with a performance overhead of only a few seconds, what is a bit high for real time application, but supposes a great potential for future versions of our tool.
- P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In 20th IFIP International Information Security Conference, 2005.Google ScholarCross Ref
- Benjamin Livshits, Weidong Cui. Spectator: Detection and Containment of JavaScriptWorms. In USENIX Annual Technical Conference, 2008. Google ScholarDigital Library
- Christian Seifert, Ramon Steenson. Capture-Honeypot Client. http://www.nz-honeynet.org/capture.html, 2007.Google Scholar
- R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A Safety-Oriented Platform for Web Applications. In IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- A. Dewald. Detection and prevention of malicious websites. Master's thesis, University of Mannheim, Department of Computer Science, 2009.Google Scholar
- M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In 6th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2009. Google ScholarDigital Library
- Google Inc. Safe Browsing for Firefox. http://www.google.com/tools/firefox/safebrowsing.Google Scholar
- James Newsome, Dawn Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS), 2005.Google Scholar
- C. Krügel, E. Kirda, D. Mutz, W. K. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Recent Advances in Intrusion Detection (RAID), 2005.Google Scholar
- McAfee. SiteAdvisor. http://www.siteadvisor.com.Google Scholar
- Microsoft. IE8 Security Part III: SmartScreen Filter. http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iii-smartscreen-filter.aspx, 2009.Google Scholar
- Mozilla Foundation. JSAPI Reference. https://developer.mozilla.org/en/JSAPI_Reference, 2009.Google Scholar
- Paruj Ratanaworabhan, Benjamin Livshits, Benjamin Zorn. Nozzle: A Defense Against Heap-spraying Code Injection Attacks. Technical report, Microsoft Research Technical Report MSR-TR-2008-176, 2008.Google Scholar
- Samy. The Samy worm. http://namb.la/popular, 2005.Google Scholar
- Y.-M. Wang, C. Verbowski, J. Dunagan, Y. Chen, H. J. Wang, and C. Yuan. STRIDER: A Black-box, State-based Approach to Change and Configuration Management and Support. In USENIX LISA, 2003. Google ScholarDigital Library
- Yi-Min Wang and Doug Beck and Xuxian Jiang and Roussi Roussev. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. In Network and Distributed System Security Symposium (NDSS), 2006.Google Scholar
Index Terms
ADSandbox: sandboxing JavaScript to fight malicious websites
Recommendations
WSProxy: Detecting and Fighting Malicious Websites
BCGIN '11: Proceedings of the 2011 International Conference on Business Computing and Global InformatizationIn this paper we present WS Proxy, an analysis system for malicious websites that focuses on detecting attacks through behavior of web programs. The system uses Web kit which is an open script engine to execute page scripts. We detect malicious codes ...
Efficient and effective realtime prediction of drive-by download attacks
Drive-by download attacks are common attack vector for compromising personal computers. While several alternatives to mitigate the threat have been proposed, approaches to realtime detection of drive-by download attacks has been predominantly limited to ...
Automatic analysis of malware behavior using machine learning
Malicious software - so called malware - poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with ...
Comments