Presentation is loading. Please wait.

Presentation is loading. Please wait.

2011/11/1 1 Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia.

Published byConrad Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "2011/11/1 1 Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia."— Presentation transcript:

1 2011/11/1 YLJ@adlab 1 Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia ACM CCS 2010

2 Agenda  Introduction  SURF  Search Engine  Search Poisoning  SURF Implementation & Evaluation  Discussion  Empirical Measurements  Related Work  Conclusion 2011/11/1 YLJ@adlab 2

3 Introduction  Blackhat SEO Blackhat SEO  Search inflating  Search poisoning  SURF : detection system  Generality  Robustness  Wide deployability 2011/11/1 YLJ@adlab 3

4 SURF (Search User Redirection Finder)  Run as a browser component(plugin) 2011/11/1 YLJ@adlab 4

5 SURF  Report an in-depth study to motivate and inspire countermeasures against this increasing threat.  Be able to detect search poisoning with a 99.1% true positive rate at a 0.9% false positive rate  Provides insight into its fast growing trends. 2011/11/1 YLJ@adlab 5

6 Search Engine  Search engines typically employ crawlers to discover newly created or updated webpages  Two advantages for abusers  Search engines trust the content on the webpages  a web server can easily distinguish between search crawlers and human visitors 2011/11/1 YLJ@adlab 6

7 Search Poisoning  Preliminary study aimed to discover a set of robust features that can be leveraged for detection purposes  Ubiquitous use of cross-site redirections  Search poisoning as a service Search poisoning as a service  Sophisticated poisoning and evasion tricks  Persistence under transient appearances Persistence under transient appearances  Various malicious applications Various malicious applications 2011/11/1 YLJ@adlab 7

8 Search Poisoning  Detection features 2011/11/1 YLJ@adlab 8

9 SURF Implementation  As a plugin on IE8  “mshtml.dll” for HTML parsing  Listening for event notification  Peek into browser data  Emulating simple user interactions  Use BLADE to protect from drive-by download malwareBLADE 2011/11/1 YLJ@adlab 9

10 SURF Evaluation  Three different experiments  Estimate SURF’s accuracyaccuracy  Attempts to show that SURF is able to detect generic search poisoning cases  Show what features are the most important for classification  IP-to-name ratio  redirection consistency & landing to terminal distance  2011/11/1 YLJ@adlab 10

11 Discussion  During feature selection process, we discarded a few candidate features that may help the classification accuracy but are not robust(15 → 9)  Detecting search poisoning cases can reveal information about compromised websites and botnet organizations.  Single client side-share information 2011/11/1 YLJ@adlab 11

12 Empirical Measurements  Micro Measurements 2011/11/1 YLJ@adlab 12

13 Empirical Measurements  Macro Measurements 2011/11/1 YLJ@adlab 13

14 Empirical Measurements 2011/11/1 YLJ@adlab 14 Poor Japan earthquake Super Bowl

15 Empirical Measurements 2011/11/1 YLJ@adlab 15

16 Related Work  Blackhat SEO countermeasures  Most detection methods work at the search engine level  Malicious webpage detection 2011/11/1 YLJ@adlab 16

17 Conclusion  SURF : a novel detection system that runs as a browser component  Detect malicious search user redirections resulted from user clicking on poisoned search results  Robust features that is hard to evade  Detection rate of 99.1% at a false positive rate of 0.9% 2011/11/1 YLJ@adlab 17

18 Thanks for your listening 2011/11/1 YLJ@adlab 18

19 2011/11/1 YLJ@adlab 19 Dynamically dispatch

20 D: drive-by-download F: fake AV P: rogue pharmacy Na: randomly legitimate search redirection cases 2011/11/1 YLJ@adlab 20

Download ppt "2011/11/1 1 Long Lu, Wenke Lee College of Computing Georgia Inst. of Technology Roberto Perdisci Dept. of Computer Science University of Georgia."

Similar presentations

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.
PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Clickjacking Attacks and Defenses.

Clickjacking Attacks and Defenses.
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Fall 2007cs4251 Distributed Computing Umar Kalim Dept. of Communication Systems Engineering 31/10/2007.

Fall 2007cs4251 Distributed Computing Umar Kalim Dept. of Communication Systems Engineering 31/10/2007.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
14 1 Chapter 14 Database Connectivity and Web Development Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

14 1 Chapter 14 Database Connectivity and Web Development Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.
WEB SCIENCE: SEARCHING THE WEB. Basic Terms Search engine Software that finds information on the Internet or World Wide Web Web crawler An automated program.

WEB SCIENCE: SEARCHING THE WEB. Basic Terms Search engine Software that finds information on the Internet or World Wide Web Web crawler An automated program.

Similar presentations

Ads by Google