Real-world IP and network tracking measurement study of malicious websites with HAZOP

IP tracking and cloaking are practices for identifying users which are used legitimately by websites to provide services and content tailored to particular users. However, it is believed that these practices are also used by malicious websites to avoid detection by anti-virus companies crawling the web to find malware. In addition, malicious websites are also believed to use IP tracking in order to deliver targeted malware based upon a history of previous visits by users. In this paper, we empirically investigate these beliefs and collect a large data-set of suspicious URLs in order to identify at what level IP tracking takes place that is at the level of an individual address or at the level of their network provider or organization (network tracking). We perform our experiments using HAZard and OPerability study to control the effects of a large number of other attributes which may affect the result of the analysis. Our results illustrate that IP tracking is used in a small subset of domains within our data-set, while no strong indication of network tracking was observed.

[1]  Seong-je Cho,et al.  Efficient Detection of Malicious Web Pages Using High-Interaction Client Honeypots , 2012, J. Inf. Sci. Eng..

[2]  Brian D. Davison,et al.  Cloaking and Redirection: A Preliminary Study , 2005, AIRWeb.

[3]  Brian D. Davison,et al.  Detecting semantic cloaking on the web , 2006, WWW '06.

[4]  Bruce M. Maggs,et al.  Posit: a lightweight approach for IP geolocation , 2012, PERV.

[5]  Rune Winther,et al.  Security Assessments of Safety Critical Systems Using HAZOPs , 2001, SAFECOMP.

[6]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[7]  David Maxwell Chickering,et al.  Improving Cloaking Detection using Search Query Popularity and Monetizability , 2006, AIRWeb.

[8]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[9]  Gang Wang,et al.  Detecting malicious landing pages in Malware Distribution Networks , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[10]  Kim-Kwang Raymond Choo,et al.  Application of HAZOP to the Design of Cyber Security Experiments , 2016, 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA).

[11]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[12]  V. N. Venkatakrishnan,et al.  WebWinnow: leveraging exploit kit workflows to detect malicious urls , 2014, CODASPY '14.

[13]  E.P. Markatos,et al.  Honey@home: A New Approach to Large-Scale Threat Monitoring , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[14]  Gianluca Stringhini,et al.  Stranger danger: exploring the ecosystem of ad-based URL shortening services , 2014, WWW.

[15]  Benny Pinkas,et al.  On the Security of Pay-per-Click and Other Web Advertising Schemes , 1999, Comput. Networks.

[16]  Ming Ma,et al.  Detecting Stealth Web Pages That Use Click-Through Cloaking , 2006 .

[17]  Florian Kerschbaum,et al.  Simple cross-site attack prevention , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[18]  Qiang Fu,et al.  YALIH, Yet Another Low Interaction Honeyclient , 2014, AISC.

[19]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[20]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[21]  Konstantin Beznosov,et al.  Improving malicious URL re-evaluation scheduling through an empirical study of malware download centers , 2011, WebQuality '11.

[22]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[23]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[25]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[26]  Ian Welch,et al.  HoneyC - The low-interaction client honeypot , 2006 .

[27]  Christopher Leckie,et al.  Collaborative Detection of Fast Flux Phishing Domains , 2009, J. Networks.

[28]  John McLeay,et al.  THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA , 1965 .

[29]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[30]  Christopher Krügel,et al.  PExy: The Other Side of Exploit Kits , 2014, DIMVA.

[31]  Vinod Yegneswaran,et al.  ALICE@home: Distributed Framework for Detecting Malicious Sites , 2009, RAID.