Drive-by Download Attack (DBD) is one of the major threats on the web infrastructure. DBD attacks are triggered by user access to a malicious website and force users to download malware by exploiting the vulnerabilities of web browsers or plugins. Malicious websites are ephemeral. Therefore, it is necessary to gather fresh information related to malicious activities to detect and prevent such attacks. In this paper, we propose a framework that combats with DBD attacks with users' voluntary monitoring of the web. This framework tackles the two issues: ways to obtain up-to-date information related malicious activities and ways to provide up-to-date information to the world. The framework aims to realize a security ecosystem: users actively offer information about their activities on the web (e.g. access URL, download contents), and security analysts inspect the information to detect new threats and devise countermeasures for any new threats and then provide the countermeasures to users as feedback. The framework consists of sensors located on the user side and a centralized center located on the network side. Sensors are deployed in the web browser, in web proxies, and DNS servers. Sensors monitors the access URLs download contents, the method of triggering the link events (e.g. mouse click, move, redirected by the server), then the sensors report the data to the center. The center analyzes the data, derives the statistical data and the web link structure, and detects new threats by facilitating the characteristics of malicious web pages. This paper also shows a real world example that demonstrates the potential of our framework. The example implies that our focus on the change of the web link structure can detect illegal falsification of web pages. Our framework can obtain long-term data on how many hosts users are forced to access by the access of a web page, so we believe that our framework can distinguish legitimate changes in web pages with compromised changes.
[1]
Xuxian Jiang,et al.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities
,
2006,
NDSS.
[2]
Alexey Melnikov,et al.
The WebSocket Protocol
,
2011,
RFC.
[3]
Paolo Milani Comparetti,et al.
EvilSeed: A Guided Approach to Finding Malicious Web Pages
,
2012,
2012 IEEE Symposium on Security and Privacy.
[4]
Markus Kammerstetter,et al.
Vanity, cracks and malware: insights into the anti-copy protection ecosystem
,
2012,
CCS '12.
[5]
Niels Provos,et al.
All Your iFRAMEs Point to Us
,
2008,
USENIX Security Symposium.
[6]
Wenke Lee,et al.
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
,
2011,
WWW.
[7]
Akira Yamada,et al.
Web Tracking Site Detection Based on Temporal Link Analysis
,
2010,
2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops.
[8]
Mitsuaki Akiyama,et al.
Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks
,
2010,
IEICE Trans. Commun..
[9]
Jack W. Stokes,et al.
WebCop: Locating Neighborhoods of Malware on the Web
,
2010,
LEET.