Abstract
Attackers mostly target users with vulnerable browsers thus inducting client side attacks through various exploitation means, where dynamic client-side JavaScript is most instrumental. In this paper, we present UAC (URL Analyzer and Classifier), a novel lightweight and browser-independent solution that leverages static analysis combined with run-time emulation to identify malicious web pages. UAC performs multi-facet inspection of web page which includes DOM parsing to identify suspicious DOM elements including hidden iframes and malicious links, JavaScript analysis to detect obfuscated and malicious behavior using function-call profiling based on supervised learning, tracking dynamic domain redirections and scanning for suspicious patterns. An Active potential URL hunt to seed web pages is conducted using an integrated web crawler to cover the maximum cyber space for a given URL. The solution is employed as a Low Interaction Honeyclient in a Distributed Honeynet System where the scalability is addressed using a hash-based redundancy check.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Drive-by download—Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Drive-by_download
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Proceedings of DIMVA’09, 6th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Milano, Italy, 9–10 July 2009. Springer LNCS
Secure Browsing, Malware Protection, Trustwave. https://www.trustwave.com/securebrowsing/
Google Safe Browsing. http://www.google.com/tools/firefox/safebrowsing/
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceeding of the 19th International Conference on World Wide Web, pp. 281–290. ACM, New York (2010)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of WWW 2011. ACM, Hyderabad, India, 28 March–1 April 2011
Song, C., Zhuge, J., Han, X., Ye, Z.: Preventing drive-by download via inter-module communication monitoring. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS’10, pp. 124–134. ACM, New York (2010)
Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: ARROW: generating signatures to detect drive-by downloads. In: Proceedings of WWW 2011. ACM, Hyderabad, India, 28 March–1 April 2011. 978-1-4503-0632-4/11/03
Ratanaworabhan, P., Liyshits, B., Zorn, B.G.: Nozzle: a defense against heap-spraying code injection attacks. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pp. 169–186. USENIX Association, Berkeley (2009)
Wei, T., Wang, T., Duan, L., Jing, L.: Secure dynamic code generation against spraying. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS’ 10, pp. 738–740. ACM, New York (2010)
Dewald, A., Holz, T., Freiling, F.C.: ADSandbox: sandboxing JavaScript to fight malicious websites. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC’10, pp. 1859–1864. ACM, New York (2010)
BLADE—Block All Drive-by Download Exploits. http://www.blade-defender.org/
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack agnostic approach for preventing drive-by malware infections. In: Proceedings of the 17th ACM Conference on Computer and Communication Security, CCS’10, pp. 440–450. ACM, New York (2010)
Seifert, C., Welch, I., Komisarczuk, P.: Honeyc—the low-interaction client Honeypot. In: Proceedings of the 2007 NZCSRCS, Waikato University, Hamilton, New Zealand (2007)
Nazario, J.: PhoneyC: a virtual client Honeypot. In: Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and more, LEET’09, p. 6. USENIX Association Berkeley, CA (2009)
Forest, D., Weisen, C., Leong, K.P., Siang, H.Y.: HoneySift: a fast approach for low interaction client based Honeypot. In: www.studyMode.com. 23 Jan 2011. http://www.studymode.com/essays/Honeysift-A-Low-Interaction-Client-Honeypot-558127.html
Ikinci, A., Holz, T., Freiling, F., Mannheim, G.: Monkey-Spider: detecting malicious websites with low-interaction Honeyclient. Sicherheit, Saarbruecken (2008)
Alosefer, Y., Rana, O.: Honeyware: a web-based low interaction client Honeypot. In: Proceedings of the 2010 Third International Conference on Software Testing, Verification, and Validation Workshops, ICSTW’10, pp. 410–417. IEEE Computer Society, Washington, DC (2010)
Feinstein, B.: Caffeine Monkey: Automated Collection, Detection and Analysis of JavaScript. Dell Secure-Works Inc., BlackHat USA, Las Vegas (2007)
Eshete, B., Villafiorita, A., Weldemariam, K.: BINSPECT: Holistic Analysis and Detection of Malicious Web Pages. SecureComm 2012, pp. 149–166 (2012)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: ZOZZLE: fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (Microsoft Research) (2011)
Choi, Y., Kim, T., Choi, S., Lee, C.: Automatic detection for JavaScript obfuscation attacks in web pages through string pattern analysis. In: Future Generation Information Technology, Lecture Notes in Computer Science, vol. 5899, p. 160. Springer, Berlin (2009). ISBN 978-3-642-10508-1
Xu, W., Zhang, F., Zhu, S.: JStill: mostly static detection of obfuscated malicious JavaScript code. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY’13 (2013)
Li, Z., Zhang, K., Xie, Y., Yu, F, Wang, X.F.: Knowing your enemy: understanding and detecting malicious web advertising. In: ACM Conference on Computer and Communications Security 2012 (Microsoft Research), pp. 674–686 (2012)
Elinks—lynx-like alternative character mode WWW browser. http://manpages.ubuntu.com/manpages/lucid/man1/elinks.1.html
Spider Monkey, MDN. https://developer.mozilla.org/en/docs/SpiderMonkey
Chapter 6—Shannon entropy. http://www.ueltschi.org/teaching/chapShannon.pdf
Random Forest. http://weka.sourceforge.net/doc.dev/weka/classifiers/trees/RamdomForest.html
Rotation Forest. http://weka.sourceforge.net/doc.packages/rotationForest/weka/classifiers/meta/RotationForest.html
iScanner. http://iscanner.isecurity.org
Snort. http://www.snort.org
ECMA Standards. http://www.ecma-international.org/publications/standards/Standard.htm
Acknowledgements
We are grateful to Dr. Bruhadeshwar Bezawada, Assistant Professor, IIIT, Hyderabad for his support, time-to-time guidance and periodic feedback on the analysis process. He has also suggested various improvements to address scalability.
We are also thankful to Mr. S. S. Sarma, Scientist ‘E’, Cert-In for providing useful inputs regarding the selection of significant parameters for analysis. Cert-In team has been regularly providing us the list of URLs and evaluating our results.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Kaur, H., Madan, S., Sehgal, R.K. (2014). UAC: A Lightweight and Scalable Approach to Detect Malicious Web Pages. In: Silhavy, R., Senkerik, R., Oplatkova, Z., Silhavy, P., Prokopova, Z. (eds) Modern Trends and Techniques in Computer Science. Advances in Intelligent Systems and Computing, vol 285. Springer, Cham. https://doi.org/10.1007/978-3-319-06740-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-06740-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06739-1
Online ISBN: 978-3-319-06740-7
eBook Packages: EngineeringEngineering (R0)