ABSTRACT
The JavaScript language is a core component of active and dynamic web content in the Internet today. Besides its great success in enhancing web applications, however, JavaScript provides the basis for so-called drive-by downloads---attacks exploiting vulnerabilities in web browsers and their extensions for unnoticeably downloading malicious software. Due to the diversity and frequent use of obfuscation in these attacks, static code analysis is largely ineffective in practice. While dynamic analysis and honeypots provide means to identify drive-by-download attacks, current approaches induce a significant overhead which renders immediate prevention of attacks intractable.
In this paper, we present Cujo, a system for automatic detection and prevention of drive-by-download attacks. Embedded in a web proxy, Cujo transparently inspects web pages and blocks delivery of malicious JavaScript code. Static and dynamic code features are extracted on-the-fly and analysed for malicious patterns using efficient techniques of machine learning. We demonstrate the efficacy of Cujo in different experiments, where it detects 94% of the drive-by downloads with few false alarms and a median run-time of 500 ms per web page---a quality that, to the best of our knowledge, has not been attained in previous work on detection of drive-by-download attacks.
- Standard ECMA-262: ECMAScript Language Specification (JavaScript). 3rd Edition, ECMA International, 1999.Google Scholar
- Symantec Global Internet Security Threat Report: Trends for 2009. Vol. XIV, Symantec, Inc., 2010.Google Scholar
- A. Aho, R. Sethi, and J. Ullman. Compilers Principles, Techniques, and Tools. Addison-Wesley, 1985. Google ScholarDigital Library
- M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proc. of the International World Wide Web Conference (WWW), 2010. Google ScholarDigital Library
- M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with JavaScript. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2008. Google ScholarDigital Library
- A. Dewald, T. Holz, and F. Freiling. ADSandbox: Sandboxing JavaScript to fight malicious websites. In Proc. of ACM Symposium on Applied Computing (SAC), 2010. Google ScholarDigital Library
- M. Egele, E. Kirda, and C. Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In Proc. of Open Research Problems in Network Security Workshop (iNetSec), 2009.Google ScholarCross Ref
- M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009. Google ScholarDigital Library
- R.-E. Fan, K.-W. Chang, C.-J. Hsieh, X.-R. Wang, and C.-J. Lin. LIBLINEAR: A library for large linear classification. Journal of Machine Learning Research, 9:1871--1874, 2008. Google ScholarDigital Library
- S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for Unix processes. In Proc. of IEEE Symposium on Security and Privacy, pages 120--128, Oakland, CA, USA, 1996. Google ScholarDigital Library
- M. Johns. On JavaScript malware and related threats -- Web page based attacks revisited. Journal in Computer Virology, 4(3):161--178, 2008.Google ScholarCross Ref
- E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In Proc. of ACM Symposium on Applied Computing (SAC), 2006. Google ScholarDigital Library
- K.-R. Müller, S. Mika, G. Rätsch, K. Tsuda, and B. Schölkopf. An introduction to kernel-based learning algorithms. IEEE Neural Networks, 12(2):181--201, May 2001. Google ScholarDigital Library
- J. Nazario. A virtual client honeypot. In Proc. of USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
- N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All your iframes point to us. In Proc. of USENIX Security Symposium, 2008. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007. Google ScholarDigital Library
- P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. Technical Report MSR-TR-2008-176, Microsoft Research, 2008.Google Scholar
- K. Rieck and P. Laskov. Detecting unknown network attacks using language models. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 74--90, July 2006. Google ScholarDigital Library
- K. Rieck and P. Laskov. Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research, 9(Jan):23--48, 2008. Google ScholarDigital Library
- B. Schölkopf and A. Smola. Learning with Kernels. MIT Press, Cambridge, MA, 2002.Google Scholar
- C. Seifert and R. Steenson. Capture -- honeypot client (Capture-HPC). Victoria University of Wellington, NZ, https://projects.honeynet.org/capture-hpc, 2006.Google Scholar
- K. Wang, J. Parekh, and S. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Advances in Intrusion Detection (RAID), pages 226--248, 2006. Google ScholarDigital Library
Index Terms
- Cujo: efficient detection and prevention of drive-by-download attacks
Recommendations
Throwing a monkeywrench into web attackers plans
CMS'10: Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia SecurityClient-based attacks on internet users with malicious web pages represent a serious and rising threat. Internet Browsers with enabled active content technologies such as JavaScript are vulnerable to so-called drive-by downloads. Drive-by downloads are ...
EvilSeed: A Guided Approach to Finding Malicious Web Pages
SP '12: Proceedings of the 2012 IEEE Symposium on Security and PrivacyMalicious web pages that use drive-by download attacks or social engineering techniques to install unwanted software on a user's computer have become the main avenue for the propagation of malicious code. To search for malicious web pages, the first ...
Efficient and effective realtime prediction of drive-by download attacks
Drive-by download attacks are common attack vector for compromising personal computers. While several alternatives to mitigate the threat have been proposed, approaches to realtime detection of drive-by download attacks has been predominantly limited to ...
Comments