Demalvertising: A Kernel Approach for Detecting Malwares in Advertising Networks

From search engines to e-commerce websites and online video channels to smartphone applications, most of the internet applications use advertising as one of their primary source of revenue generation. Malvertising is the act of distributing malicious software to users via advertisements on websites. The major causes of malvertisement are the presence of hundreds of third party advertising solutions and the improper verification of ads at the publisher’s site. Moreover, smartly tailored advertisements are placed which exploit a browser’s bugs and vulnerabilities to infect user with malicious software. In this paper, we highlight loopholes in the currently applied advertising policies and the vulnerabilities that are exploited to attack customers by serving malicious ads on user applications. The major contribution of the authors is a framework developed to identify malicious advertisements at the publishers’ end. It is based on two types of analyses. The first type of analysis involves static analysis of the advertisement’s source code. The other type is the behavioral analysis of the advertisements done in a secure sandboxed environment to detect any malicious activity. We extracted a total of 9 features from 15,000 advertisements and classified it using a trained one class SVM classifier. Our result shows that 53 % of the suspicious ads contain dubious iFrames while 69 % of them perform redirections followed by drive by download 18 % with very low false positive and false negative rates.

[1]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[2]  Kumar Chellapilla,et al.  A taxonomy of JavaScript redirection spam , 2007, AIRWeb '07.

[3]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[4]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[5]  P. Komisarczuk,et al.  Identification of Malicious Web Pages with Static Heuristics , 2008, 2008 Australasian Telecommunication Networks and Applications Conference.

[6]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[7]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[8]  Guanhua Yan,et al.  Malware propagation in online social networks: nature, dynamics, and defense implications , 2011, ASIACCS '11.

[9]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[10]  K. P. Soman,et al.  Machine Learning with SVM and other Kernel methods , 2009 .

[11]  Nathalie Japkowicz,et al.  A Novelty Detection Approach to Classification , 1995, IJCAI.

[12]  Christopher M. Bishop,et al.  Novelty detection and neural network validation , 1994 .

[13]  Gunter Ritter,et al.  Outliers in statistical pattern recognition and an application to automatic chromosome classification , 1997, Pattern Recognit. Lett..

[14]  Christopher Krügel,et al.  Analyzing and Detecting Malicious Flash Advertisements , 2009, 2009 Annual Computer Security Applications Conference.