Delta: Automatic identification of unknown web-based infection campaigns

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 109-120

  Borgolte, Kevin ^a   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a University of California   (United States)

Author keywords

clustering; computer security; infection campaigns; infection vector identification; malware detection; trend detection; web dynamics; web based malware

Indexed keywords

CLUSTERING; INFECTION CAMPAIGNS; MALWARE DETECTION; TREND DETECTION; WEB DYNAMICS; WEB-BASED MALWARE;

AUTOMATION; COMPUTER CRIME; INTERNET; SECURITY OF DATA; STATIC ANALYSIS;

WEBSITES;

EID: 84889006370     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516725     Document Type: Conference Paper

References (42)

1. SOPHOS Security Team, "SOPHOS Security Threat Report 2013," SOPHOS, Tech. Rep., 2013. [Online]. Available: http://goo.gl/YuW65
2. P. Baccas, "Malware injected into legitimate JavaScript code on legitimate websites," Article, 2013. [Online]. Available: http://goo.gl/rDFZ4
3. D. Goodin, "Twitter detects and shuts down password data hack in progress," February 2013. [Online]. Available: http://goo.gl/YwfMd
4. Facebook Security Team, "Protecting People On Facebook, "Article, February 2013. [Online]. Available: http://goo.gl/OUPtk
5. J. Finke and J. Menn, "Exclusive: Apple, Macs hit by hackers who targeted Facebook," Reuters, February 2013. [Online]. Available: http://goo.gl/fzhIo
6. D. Fetterly, M. Manasse, M. Najork, and J. Wiener, "A large-scale study of the evolution of web pages," in Proceedings of the 12th International Conference on World Wide Web, ser. WWW '03. ACM, 2003, pp. 669-678.
7. B. A. Huberman and L. A. Adamic, "Evolutionary Dynamics of the world wide web," Condensed Matter, January 1999.
8. F. Douglis, A. Feldmann, B. Krishnamurthy, and J. Mogul, "Rate of Change and other Metrics: a Live Study of the World Wide Web." in Proceedings of the USENIX Symposium on Internet Technologies and Systems, vol. 119. USENIX Association, 1997.
9. R. Baeza-Yates, C. Castillo, and F. Saint-Jean, "Web Dynamics, Structure, and Page Quality," in Web Dynamics. Springer-Verlag, 2004, pp. 93-109.
10. F. Maggi, W. Robertson, C. Kruegel, and G. Vigna, "Protecting a Moving Target: Addressing Web Application Concept Drift," in Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, ser. RAID '09. Springer-Verlag, 2009, pp. 21-40.
11. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, "The ghost in the browser analysis of web-based malware," in First Workshop on Hot Topics in Understanding Botnets, ser. HOTBOTS '07. USENIX Association, 2007, pp. 4-4.
12. M. Cova, C. Kruegel, and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious JavaScript code," in Proceedings of the 19th International Conference on World Wide Web, ser. WWW'10. ACM, 2010, pp. 281-290.
13. D. Canali, M. Cova, G. Vigna, and C. Kruegel, "Prophiler: a fast lter for the large-scale detection of malicious web pages," in Proceedings of the 20th International Conference on World Wide Web (WWW '11), ser. WWW '11. ACM, 2011, pp. 197-206.
14. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, "All your iFRAMEs point to Us," in Proceedings of the 17th USENIX Security Symposium, ser. SEC'08. USENIX Association, 2008, pp. 1-15.
15. P.-M. Bureau, "Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole," April 2013. [Online]. Available: http://goo.gl/g2Vfl
16. D. Cid, "Apache Binary Backdoors on Cpanel-based servers," April 2013. [Online]. Available: http://goo.gl/BXq8Q
17. S. S. Chawathe and H. Garcia-Molina, "Meaningful Change Detection in Structured Data," in Proceedings of the ACM SIGMOD International Conference on Management of Data, ser. MOD'97. ACM, 1997.
18. Y. Wang, D. J. DeWitt, and J.-Y. Cai, "X-Diff: An effective change detection algorithm for XML documents," in Proceedings of the 19th International Conference on Data Engineering, ser. ICDE '03. IEEE, 2003, pp. 519-530.
19. H. W. Kuhn, "The Hungarian method for the assignment problem," Naval Research Logistics Quarterly, vol. 2, no. 1-2, pp. 83-97, 1955.
20. J. Kornblum, "Identifying almost identical files using context triggered piecewise hashing," Digital Investigation, vol. 3, no. 0, pp. 91-97, 2006, the Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS '06).
21. M. A. Jaro, "Advances in Record-Linkage Methodology as Applied to Matching the 1985 Census of Tampa, Florida," Journal of the American Statistical Association, vol. 84, no. 406, pp. 414-420, 1989.
22. A. N. Kolmogorov, "Three approaches to the quantitative definition of information," International Journal of Computer Mathematics, vol. 2, no. 1-4, pp. 157-168, 1968.
23. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna, "You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions," in Proceedings of the 19th ACM Conference on Computer and Communications Security, ser. CCS '12. ACM, 2012.
24. U. Fayyad, G. Piatetsky-Shapiro, P. Smyth et al., "Knowledge Discovery and Data Mining: Towards a Unifying Framework." Knowledge Discovery and Data Mining, vol. 96, pp. 82-88, 1996.
25. U. M. Fayyad, G. Piatetsky-Shapiro, P. Smyth, and R. Uthurusamy, "Advances in knowledge discovery and data mining," 1996.
26. M. Ankerst, M. M. Breunig, H.-P. Kriegel, and J. Sander, "OP-TICS: Ordering Points To Identify the Clustering Structure," in Proceedings of the ACM SIGMOD International Conference on Management of Data, ser. MOD'99. ACM, 1999, pp. 49-60.
27. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "OPTICS-OF: Identifying Local Outliers," in Lecture Notes in Computer Science. Springer-Verlag, 1999.
28. L. Invernizzi, P. Milani Comparetti, S. Benvenuti, M. Cova, C. Kruegel, and G. Vigna, "EvilSeed: A Guided Approach to Finding Malicious Web Pages," Security and Privacy (SP), 2012 IEEE Symposium on, vol. 0, pp. 428-442, 2012.
29. P. Ratanaworabhan, B. Livshits, and B. Zorn, "Nozzle: A defense against heap-spraying code injection attacks," in Proceedings of the 18th USENIX Security Symposium, ser. SEC'09. USENIX Association, 2009, pp. 169-186.
30. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, "ZOZZLE: fast and precise in-browser JavaScript malware detection," in Proceedings of the 20th USENIX Security Symposium, ser. SEC'11. USENIX Association, 2011, pp. 3-3.
31. C. Seifert, I. Welch, and P. Komisarczuk, "Identification of Malicious Web Pages with Static Heuristics," in Telecommunication Networks and Applications Conference, ser. ATNAC '08, 2008, pp. 91-96.
32. "Discuz!" Retrieved, May 2013. [Online]. Available: http://goo.gl/e8nCD
33. X. Yang, "Report on the success of the Discuz! software," Chinese National Radio Report, August 2010, in Chinese. [Online]. Available: http://goo.gl/beq4O
34. M. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, and L. Schmidt, "Trends in Circumventing Web-Malware Detection," 2011.
35. J. Mason, S. Small, F. Monrose, and G. MacManus, "English shellcode," in Proceedings of the 16th ACM Conference on Computer and Communications Security, ser. CCS '09. ACM, 2009, pp. 524-533.
36. M. Polychronakis, K. Anagnostakis, and E. Markatos, "Network-level polymorphic shellcode detection using emulation," Journal in Computer Virology, vol. 2, pp. 257-274, 2007, 10.1007/s11416-006-0031-z.
37. J. Choi, G. Kim, T. Kim, and S. Kim, "An Efficient Filtering Method for Detecting Malicious Web Pages," in Proceedings of the 13th International Workshop on Information Security Applications, 2012.
38. Y.-T. Hou, Y. Chang, T. Chen, C.-S. Laih, and C.-M. Chen, Malicious web content detection by machine learning," Expert Systems with Applications, vol. 37, no. 1, pp. 55-60, 2010.
39. J. Ma, L. K. Saul, S. Savage, and G. M. Voelker, "Beyond blacklists: learning to detect malicious web sites from suspicious URLs," in Proceedings of the 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, ser. KDD '09. ACM, 2009, pp. 1245-1254.
40. B. Eshete, A. Villafiorita, and K. Weldemariam, "Malicious website detection: E ectiveness and efficiency issues," in First SysSec Workshop, ser. SysSec. IEEE, 2011, pp. 123-126.
41. A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy, "A Crawler-based Study of Spyware in the Web," in Network and Distributed System Security Symposium, ser. NDSS '06, 2006.
42. G. Davanzo, E. Medvet, and A. Bartoli, "Anomaly detection techniques for a web defacement monitoring service," Expert Systems with Applications, vol. 38, no. 10, pp. 12 521-12 530, Sep. 2011.