Abstract
Browser extensions are widely used by millions of users. However, large amount of extensions can be downloaded from webstores without sufficient trust or safety scrutiny, which keeps users from differentiating benign extensions from malicious ones. In this paper, we propose an aspect-level behavior clustering approach to enhancing the safety management of extensions. We decompose an extension’s runtime behavior into several pieces, denoted as AEBs (Aspects of Extension Behavior). Similar AEBs of different extensions are grouped into an “AEB cluster” based on subgraph isomorphism. We then build profiles of AEB clusters for both extensions and categories (of extensions) to detect suspicious extensions. To the best of our knowledge, this is the first study to do aspect-level extension clustering based on runtime behaviors. We evaluate our approach with more than 1,000 extensions and demonstrate that it can effectively and efficiently detect suspicious extensions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Melinte, A.: Monitoring function calls (June 2008), http://linuxgazette.net/151/melinte.html
Bandhakavi, S., King, S., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: USENIX Security Symposium, pp. 339–354 (2010)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)
Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)
Beaucamps, P., Reynaud, D.: Malicious Firefox extensions. In: SSTIC 2008 Symposium sur la séCurité des Technologies de l’information et des Communications, Rennes, France (June 2008)
Cadar, C., Godefroid, P., Khurshid, S., Pasareanu, C.S., Sen, K., Tillmann, N., Visser, W.: Symbolic execution for software testing in practice: preliminary assessment. In: ICSE, pp. 1066–1071 (2011)
Couture, M., Charpentier, R., Dagenais, M., Hamou-Lhadj, A.: Self-defence of information systems in cyber-space – A critical overview. In: NATO IST-091 Symposium (April 2010)
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Proceedings of the 25th ACSAC, Hawaii, USA, pp. 382–391 (December 2009)
Fadel, W.: Techniques for the abstraction of system call traces to facilitate the understanding of the behavioural aspects of the Linux kernel. Master’s thesis, Concordia University (November 2010)
Foggia, P., Sansone, C., Vento, M.: A performance comparison of five algorithms for graph isomorphism. In: 15th Workshop on Graph-based Representations in Pattern Recognition, pp. 188–199 (2001)
Google Code. straceplus, http://code.google.com/p/strace-plus/
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE SOSP, pp. 115–130 (2011)
Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in Mozilla. In: ICECCS, pp. 85–94 (2005)
Seward, J., Nethercote, N., Hughes, T.: Valgrind documentation (August 2012), http://valgrind.org/docs/manual/index.html
Weidendorfer, J.: Kcachegrind (September 2005), http://kcachegrind.sourceforge.net/cgi-bin/show.cgi/KcacheGrindIndex
Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Security Symposium (2011)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Kolbitsch, C., Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: USENIX Security Symposium, pp. 351–366 (2009)
Linux Man Page. strace, http://linux.die.net/man/1/strace
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible web browser security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)
Louw, M., Lim, J., Venkatakrishnan, V.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4(3), 179–195 (2008)
McAfee Labs. FormSpy, http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=140256
Mozilla. How many Firefox users have add-ons installed? 85%, http://blog.mozilla.com/addons/2011/06/21/firefox-4-add-on-users/
Mozilla Developer Network. Downloading JSON and JavaScript in extensions, https://developer.mozilla.org/en/Downloading_JSON_and_JavaScript_in_extensions
Mozilla Developer Network. Eval. (June 2011), https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/eval
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI, pp. 89–100 (2007)
NetworkX. Advanced interface to VF2 algorithm, http://networkx.lanl.gov/preview/reference/algorithms.isomorphism.html
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: IEEE SOSP, pp. 513–528 (2010)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Vigna, G.: Cross Site Scripting prevention with dynamic data tainting and static analysis. In: NDSS (2007)
Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Behavior based software theft detection. In: Proceedings of the 16th ACM CCS, New York, NY, USA (2009)
Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Detecting software theft via system call based birthmarks. In: Proceedings of the 2009 ACSAC, pp. 149–158. IEEE Computer Society, Washington, DC (2009)
Xin, Z., Chen, H., Wang, X., Liu, P., Zhu, S., Mao, B., Xie, L.: Replacement attacks: automatically evading behavior-based software birthmark. Int. J. Inf. Sec. 11(5), 293–304 (2012)
Xu, R.G.: Symbolic Execution Algorithms for Test Generation. PhD thesis, University of California-Los Angeles (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhao, B., Liu, P. (2013). Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)