research-article

Cujo: efficient detection and prevention of drive-by-download attacks

Authors:
Konrad Rieck

Technische Universität Berlin, Germany

Technische Universität Berlin, Germany
View Profile

,
Tammo Krueger

Fraunhofer Institute FIRST, Germany

Fraunhofer Institute FIRST, Germany
View Profile

,
Andreas Dewald

University of Mannheim, Germany

University of Mannheim, Germany
View Profile

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceDecember 2010Pages 31–39https://doi.org/10.1145/1920261.1920267

Published:06 December 2010Publication History

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 31–39

ABSTRACT

The JavaScript language is a core component of active and dynamic web content in the Internet today. Besides its great success in enhancing web applications, however, JavaScript provides the basis for so-called drive-by downloads---attacks exploiting vulnerabilities in web browsers and their extensions for unnoticeably downloading malicious software. Due to the diversity and frequent use of obfuscation in these attacks, static code analysis is largely ineffective in practice. While dynamic analysis and honeypots provide means to identify drive-by-download attacks, current approaches induce a significant overhead which renders immediate prevention of attacks intractable.

In this paper, we present Cujo, a system for automatic detection and prevention of drive-by-download attacks. Embedded in a web proxy, Cujo transparently inspects web pages and blocks delivery of malicious JavaScript code. Static and dynamic code features are extracted on-the-fly and analysed for malicious patterns using efficient techniques of machine learning. We demonstrate the efficacy of Cujo in different experiments, where it detects 94% of the drive-by downloads with few false alarms and a median run-time of 500 ms per web page---a quality that, to the best of our knowledge, has not been attained in previous work on detection of drive-by-download attacks.

References

Standard ECMA-262: ECMAScript Language Specification (JavaScript). 3rd Edition, ECMA International, 1999.Google Scholar
Symantec Global Internet Security Threat Report: Trends for 2009. Vol. XIV, Symantec, Inc., 2010.Google Scholar
A. Aho, R. Sethi, and J. Ullman. Compilers Principles, Techniques, and Tools. Addison-Wesley, 1985. Google ScholarDigital Library
M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proc. of the International World Wide Web Conference (WWW), 2010. Google ScholarDigital Library
M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with JavaScript. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2008. Google ScholarDigital Library
A. Dewald, T. Holz, and F. Freiling. ADSandbox: Sandboxing JavaScript to fight malicious websites. In Proc. of ACM Symposium on Applied Computing (SAC), 2010. Google ScholarDigital Library
M. Egele, E. Kirda, and C. Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In Proc. of Open Research Problems in Network Security Workshop (iNetSec), 2009.Google ScholarCross Ref
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
R.-E. Fan, K.-W. Chang, C.-J. Hsieh, X.-R. Wang, and C.-J. Lin. LIBLINEAR: A library for large linear classification. Journal of Machine Learning Research, 9:1871--1874, 2008. Google ScholarDigital Library
S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for Unix processes. In Proc. of IEEE Symposium on Security and Privacy, pages 120--128, Oakland, CA, USA, 1996. Google ScholarDigital Library
M. Johns. On JavaScript malware and related threats -- Web page based attacks revisited. Journal in Computer Virology, 4(3):161--178, 2008.Google ScholarCross Ref
E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proc. of ACM Symposium on Applied Computing (SAC), 2006. Google ScholarDigital Library
K.-R. Müller, S. Mika, G. Rätsch, K. Tsuda, and B. Schölkopf. An introduction to kernel-based learning algorithms. IEEE Neural Networks, 12(2):181--201, May 2001. Google ScholarDigital Library
J. Nazario. A virtual client honeypot. In Proc. of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All your iframes point to us. In Proc. of USENIX Security Symposium, 2008. Google ScholarDigital Library
N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007. Google ScholarDigital Library
P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. Technical Report MSR-TR-2008-176, Microsoft Research, 2008.Google Scholar
K. Rieck and P. Laskov. Detecting unknown network attacks using language models. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 74--90, July 2006. Google ScholarDigital Library
K. Rieck and P. Laskov. Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research, 9(Jan):23--48, 2008. Google ScholarDigital Library
B. Schölkopf and A. Smola. Learning with Kernels. MIT Press, Cambridge, MA, 2002.Google Scholar
C. Seifert and R. Steenson. Capture -- honeypot client (Capture-HPC). Victoria University of Wellington, NZ, https://projects.honeynet.org/capture-hpc, 2006.Google Scholar
K. Wang, J. Parekh, and S. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Advances in Intrusion Detection (RAID), pages 226--248, 2006. Google ScholarDigital Library

Index Terms

Cujo: efficient detection and prevention of drive-by-download attacks
1. Security and privacy
  1. Network security

Recommendations

Throwing a monkeywrench into web attackers plans
CMS'10: Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security

Client-based attacks on internet users with malicious web pages represent a serious and rising threat. Internet Browsers with enabled active content technologies such as JavaScript are vulnerable to so-called drive-by downloads. Drive-by downloads are ...
Read More
EvilSeed: A Guided Approach to Finding Malicious Web Pages
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Malicious web pages that use drive-by download attacks or social engineering techniques to install unwanted software on a user's computer have become the main avenue for the propagation of malicious code. To search for malicious web pages, the first ...
Read More
Efficient and effective realtime prediction of drive-by download attacks

Drive-by download attacks are common attack vector for compromising personal computers. While several alternatives to mitigate the threat have been proposed, approaches to realtime detection of drive-by download attacks has been predominantly limited to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference
December 2010
419 pages
ISBN:9781450301336
DOI:10.1145/1920261
Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
drive-by downloads
dynamic code analysis
machine learning
static code analysis
web security
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 124
  Total Citations
  View Citations
- 1,006
  Total Downloads
- Downloads (Last 12 months)59
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Cujo: efficient detection and prevention of drive-by-download attacks

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Throwing a monkeywrench into web attackers plans

EvilSeed: A Guided Approach to Finding Malicious Web Pages

Efficient and effective realtime prediction of drive-by download attacks