Skip to main content
SpringerLink
Log in

Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

Browser extensions are widely used by millions of users. However, large amount of extensions can be downloaded from webstores without sufficient trust or safety scrutiny, which keeps users from differentiating benign extensions from malicious ones. In this paper, we propose an aspect-level behavior clustering approach to enhancing the safety management of extensions. We decompose an extension’s runtime behavior into several pieces, denoted as AEBs (Aspects of Extension Behavior). Similar AEBs of different extensions are grouped into an “AEB cluster” based on subgraph isomorphism. We then build profiles of AEB clusters for both extensions and categories (of extensions) to detect suspicious extensions. To the best of our knowledge, this is the first study to do aspect-level extension clustering based on runtime behaviors. We evaluate our approach with more than 1,000 extensions and demonstrate that it can effectively and efficiently detect suspicious extensions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Melinte, A.: Monitoring function calls (June 2008), http://linuxgazette.net/151/melinte.html

  2. Bandhakavi, S., King, S., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions for security vulnerabilities. In: USENIX Security Symposium, pp. 339–354 (2010)

    Google Scholar 

  3. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)

    Google Scholar 

  4. Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)

    Google Scholar 

  5. Beaucamps, P., Reynaud, D.: Malicious Firefox extensions. In: SSTIC 2008 Symposium sur la séCurité des Technologies de l’information et des Communications, Rennes, France (June 2008)

    Google Scholar 

  6. Cadar, C., Godefroid, P., Khurshid, S., Pasareanu, C.S., Sen, K., Tillmann, N., Visser, W.: Symbolic execution for software testing in practice: preliminary assessment. In: ICSE, pp. 1066–1071 (2011)

    Google Scholar 

  7. Couture, M., Charpentier, R., Dagenais, M., Hamou-Lhadj, A.: Self-defence of information systems in cyber-space – A critical overview. In: NATO IST-091 Symposium (April 2010)

    Google Scholar 

  8. Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Proceedings of the 25th ACSAC, Hawaii, USA, pp. 382–391 (December 2009)

    Google Scholar 

  9. Fadel, W.: Techniques for the abstraction of system call traces to facilitate the understanding of the behavioural aspects of the Linux kernel. Master’s thesis, Concordia University (November 2010)

    Google Scholar 

  10. Foggia, P., Sansone, C., Vento, M.: A performance comparison of five algorithms for graph isomorphism. In: 15th Workshop on Graph-based Representations in Pattern Recognition, pp. 188–199 (2001)

    Google Scholar 

  11. Google Code. straceplus, http://code.google.com/p/strace-plus/

  12. Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE SOSP, pp. 115–130 (2011)

    Google Scholar 

  13. Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in Mozilla. In: ICECCS, pp. 85–94 (2005)

    Google Scholar 

  14. Seward, J., Nethercote, N., Hughes, T.: Valgrind documentation (August 2012), http://valgrind.org/docs/manual/index.html

  15. Weidendorfer, J.: Kcachegrind (September 2005), http://kcachegrind.sourceforge.net/cgi-bin/show.cgi/KcacheGrindIndex

  16. Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: USENIX Security Symposium (2011)

    Google Scholar 

  17. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MATH  Google Scholar 

  18. Kolbitsch, C., Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: USENIX Security Symposium, pp. 351–366 (2009)

    Google Scholar 

  19. Linux Man Page. strace, http://linux.die.net/man/1/strace

  20. Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible web browser security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  21. Louw, M., Lim, J., Venkatakrishnan, V.: Enhancing web browser security against malware extensions. Journal in Computer Virology 4(3), 179–195 (2008)

    Article  Google Scholar 

  22. McAfee Labs. FormSpy, http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=140256

  23. Mozilla. How many Firefox users have add-ons installed? 85%, http://blog.mozilla.com/addons/2011/06/21/firefox-4-add-on-users/

  24. Mozilla Developer Network. Downloading JSON and JavaScript in extensions, https://developer.mozilla.org/en/Downloading_JSON_and_JavaScript_in_extensions

  25. Mozilla Developer Network. Eval. (June 2011), https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/eval

  26. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI, pp. 89–100 (2007)

    Google Scholar 

  27. NetworkX. Advanced interface to VF2 algorithm, http://networkx.lanl.gov/preview/reference/algorithms.isomorphism.html

  28. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: IEEE SOSP, pp. 513–528 (2010)

    Google Scholar 

  29. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Vigna, G.: Cross Site Scripting prevention with dynamic data tainting and static analysis. In: NDSS (2007)

    Google Scholar 

  30. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Behavior based software theft detection. In: Proceedings of the 16th ACM CCS, New York, NY, USA (2009)

    Google Scholar 

  31. Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Detecting software theft via system call based birthmarks. In: Proceedings of the 2009 ACSAC, pp. 149–158. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  32. Xin, Z., Chen, H., Wang, X., Liu, P., Zhu, S., Mao, B., Xie, L.: Replacement attacks: automatically evading behavior-based software birthmark. Int. J. Inf. Sec. 11(5), 293–304 (2012)

    Article  Google Scholar 

  33. Xu, R.G.: Symbolic Execution Algorithms for Test Generation. PhD thesis, University of California-Los Angeles (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The Pennsylvania State University, University Park, PA, USA

    Bin Zhao & Peng Liu

Authors
  1. Bin Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhao, B., Liu, P. (2013). Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation