Fast and Precise In-Browser JavaScript Malware Detection

Slides:



Advertisements
Similar presentations
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Hulk: Eliciting Malicious Behavior in Browser Extensions
Understanding and Detecting Malicious Web Advertising
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
6/16/20151 Recent Results in Automatic Web Resource Discovery Soumen Chakrabartiv Presentation by Cui Tao.
Automatic Discovery and Classification of search interface to the Hidden Web Dean Lee and Richard Sia Dec 2 nd 2003.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
Dynamic Web Pages (Flash, JavaScript)
APT29 HAMMERTOSS Jayakrishnan M.
Finding Malware on a Web Scale
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Working with Objects Creating a Dynamic Web Page.
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
Securing Web Service by Automatic Robot Detection KyoungSoo Park, Vivek S. Pai Princeton University Kang-Won Lee, Seraphin Calo IBM T.J. Watson Research.
Detecting Semantic Cloaking on the Web Baoning Wu and Brian D. Davison Lehigh University, USA WWW 2006.
document.location ✗ Location Hijacking Phishing.
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Rozzle De-Cloaking Internet Malware Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft Research.
Finding Malware on a Web Scale
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.
HTML Form Widgets. Review: HTML Forms HTML forms are used to create web pages that accept user input Forms allow the user to communicate information back.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Malicious Software.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
Javascript Static Code Analyzer
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
CPSC FALL 2015TEAM P6 Real-time Detection System for Suspicious URLs Submitted by T.ANUPCHANDRA V.KRANTHI SUDHA CH.KRISHNAPRASAD Under Guidance.
Prof. Dr. Marc Rennhard Head of Information Security Research Group
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Presented by Xiaohui (Amy) Lin
TriggerScope Towards Detecting Logic Bombs in Android Applications
By mohamed saher and ahmed garhy
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
TriggerScope Towards detecting logic bombs in android applications
Analyzing WebView Vulnerabilities in Android Applications
Computer Security.
Exploring DOM-Based Cross Site Attacks
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Real-Time RAT-based APT Detection
Presentation transcript:

Fast and Precise In-Browser JavaScript Malware Detection ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection

What is the Problem? JavaScript allows authors to run any code when a user visits a web page JS-based malware attacks are the majority of successful mass-scale exploitation Malware is easy to hide: self-generating code that produces more code to run JS severs important functionality for many sites In-browser solutions have not been fully accepted because of the performance hit Browsers use offline scanning to check URLs but there are too many sites and malware typically comes and goes frequently

Challenges Performance Accuracy Obfuscated malware Malware transience Detection is not fast enough to be used in a browser Accuracy False positive rates of 5% is acceptable for static analysis tools but is over 100x what is acceptable for in-browser detection Obfuscated malware Most JavaScript code is frequently obfuscated so purely static detection is generally ineffective Ex. eval, document.write generate code at runtime that is difficult to pattern-match Malware transience Offline-only scanning is not effective because web malware “infects fast and dies young” Nearly 20% of malicious URLs were gone after 1 day

To increase the changes to successful exploitation, multiple exploits often exist within the same page eval, <iframe>, <script> unfolding reveals obfuscated code, but depth is not a good indicator Used by JavaScript libraries to save space through client-side code generation Used as weak copy protection to avoid code piracy

Solution : Zozzle Performance Accuracy De-obfuscation AST-based detection is fast and scalable Fast classification: throughput at over 1 MB of JavaScript code per second Accuracy AST-based detection uses hierarchical (context-sensitive) features more precise than text-based Low false positive rate: 0.0003% (< 1 in 1/4 million) De-obfuscation Uses JavaScript engine of a browser to expose obfuscation and get the final, expanded version of JavaScript code

What Is Zozzle? A highly precise, mostly static detector for malware written in JavaScript suitable for in- browser deployment 3 Steps: JavaScript context collection and labeling as benign or malicious Feature extraction and training of a naïve Bayesian classifier Applying the classifier to a new JavaScript context to determine if it is benign or malicious

Zozzle: How It Works JavaScript runtime engine exposes attempts to obscure malware JS code is unfolded to just before it’s executed Intercept calls to compile() in the JavaScript engine It’s invoked when eval is called and whenever new code is included with an <iframe> or <script> tag Observe JS code at each level of its unpacking just before it's executed by the engine.

How It Works cont. A static classifier trained with a context-sensitive AST (abstract syntax tree) and a collection of labeled malware samples analyzes JS Nozzle runtime detector dynamically crawls millions of URLs and collects sample malware by observing the behavior of running JS code Tries to avoid transience and cloaking by scanning a wide range of URLs

Benign vs. Malicious Samples