Presentation is loading. Please wait.

Presentation is loading. Please wait.

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Published byEustace Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***"— Presentation transcript:

1 JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge*** * Columbia University ** Northwestern University *** Tsinghua University

2 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 2/24

3 Introduction and Background Drive-by download Attack – Unintended download of malicious computer software from the Internet, which is usually due to a browser vulnerability, such as buffer and heap overflow. Approximately 1.3% of the incoming search queries (millions per day) to Google returned at least one URL with a drive-by download attack. 3/24

4 4/24

5 Overview A reactive vulnerability-based approach to match malicious JavaScript samples targeting drive-by download attacks. JShield (> 4,000 additional lines of code integrated into WebKit) has been adopted by Huawei, the world’s largest telecommunication equipment maker. I spent two months at Huawei in 2012 and 2013 respectively to help them test JShield with millions of real-world samples. JShield is filed under a U.S. patent (14/207,665). 5/24

6 Deployment Server Side – The Web Application Firewalls (WAF) or Web IDS/IPS – Web malware scanning services Client Side – Part of Anti-virus Software 6/24

7 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 7/24

8 Motivation Attackers will change existing malicious JavaScript code to evade detection, called sample pollution: – Embedded inside DOM events, such as mouse moves. – Injected and interleaved with benign JavaScript code. 8/24

9 Motivation Cont’d 9/24 Anti-virus SoftwareOriginal SamplesPolluted Samples Avira Antivirus Premium 201398.00% (1176/1200)0.58% (7/1200) AVG Internet Security 201389.33% (1072/1200)3.58% (43/1200) Kaspersky Internet Security 2012 92.41% (1109/1200)2.00% (24/1200) Norton Internet Security 2013 20.67% (248/1200)0.08% (1/1200) Trend Micro Titanium Internet Security 2013 87.58% (1051/1200)2.00% (24/1200) Top Vendors in Industry:

10 Motivation Cont’d 10/24 Original SamplesPolluted Samples True Positive93.1%36.7% False Positive0.5% Detection Rate of Zozzle [1] State-of-the-art Research Work: [1] Curtsinger, Charlie, Benjamin Livshits, Benjamin G. Zorn, and Christian Seifert. "ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection." In USENIX Security Symposium, pp. 33-48. 2011.

11 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 11/24

12 Solution Space 12/24 Turing Machine Signature Accuracy High Low High JShield Signature Ideal Signature Speed Symbolic Constraint Signature Regular Expression

13 System Architecture 13/24

14 Opcode Signature Example 14/24 SignatureSentenceClause

15 Example 15/24 var obj = new Object(); obj.__proto__.__defineGetter__("a", function () { this.__proto__ = null; return 0; }); obj.a; Exploit: Outputted Opcodes:

16 Matching Process 16/24 State 1State 2State 3 Opcodes of the exploit: Signature to be matched:

17 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 17/24

18 Evaluation Vulnerability Coverage Rate Robust to Sample Pollution Performance 18/24

19 Evaluation Vulnerability Coverage 19/24 Vulnerability Position BrowserShieldSong et al.JShield JS Engine3/220/2222/22 PDF JS Engine4/180/1818/18 Plug-in20/2121/21 Reis et al., Browsershield: vulnerability-driven filtering of dynamic html. In OSDI (2006). Song et al., preventing drive-by download via inter-module communication monitoring. In ASIACCS (2010).

20 Evaluation Accuracy Original SamplesPolluted Samples TP for Web Pages100% FP for Web Pages0% 20/24 Anti-virus SoftwareOriginal SamplesPolluted Samples Avira Antivirus Premium 201398.00% (1176/1200)0.58% (7/1200) AVG Internet Security 201389.33% (1072/1200)3.58% (43/1200) Kaspersky Internet Security 2012 92.41% (1109/1200)2.00% (24/1200) Norton Internet Security 2013 20.67% (248/1200)0.08% (1/1200) Trend Micro Titanium Internet Security 2013 87.58% (1051/1200)2.00% (24/1200) ZozzleOriginal SamplesPolluted Samples True Positive93.1%36.7% False Positive0.5%

21 Evaluation Performance 21/24

22 Outline Introduction, Background and Overview Motivation Design Evaluation Conclusion 22/24

23 Conclusion In this talk, I presented JShield, a vulnerability based detection engine of drive-by download attacks. JShield represents the semantics of each vulnerability and is robust to sample pollution. In evaluation, we show that JShield incurs affordable overhead. 23/24

24 Thank you! Questions? yzcao@cs.columbia.edu http://www.yinzhicao.org 24/24

Download ppt "JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***"

Similar presentations

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.

Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
BrowserShield: Vulnerability- Driven Filtering of Dynamic HTML  CHARLES REIS University of Washington  JOHN DUNAGAN, HELEN J. WANG, and OPHER DUBROVSKY.

BrowserShield: Vulnerability- Driven Filtering of Dynamic HTML  CHARLES REIS University of Washington  JOHN DUNAGAN, HELEN J. WANG, and OPHER DUBROVSKY.
PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.

PathCutter: Severing the Self- Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao §, Vinod Yegneswaran †, Phillip Porras †, and.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Similar presentations

Ads by Google