Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

Similar presentations


Presentation on theme: "Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig."— Presentation transcript:

1 Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt Present by Li Xu

2 2 Detecting Malicious Web Sites Which pages are safe URLs for end users? Safe URL? Web exploit? Spam-advertised site? Phishing site? URL = Uniform Resource Locator http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll http://fblight.com http://mail.ru http://www.sigkdd.org/kdd2009/index.html This page is reference to Justin Ma’s slides

3 3 Problem in a Nutshell Different classes of URLs Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious facebook.comfblight.com This page is reference to Justin Ma’s slides

4 4 State of the Practice Current approaches –Virtual Machine Honeypots. –Browser Emulation. –Reputation Based Detection. –Signature Based Detection. Arms race How does adversaries respond & what techniques have been used to bypass detection.

5 5 Google System

6 6 Data Collection Data Set I, is the data that is generated by our operational pipeline, i.e., the output of PageScorer. It was generated by processing ∼ 1.6 billion distinct web pages collected be- tween December 1, 2006 and April 1, 2011. Data Set II, sample pages from data set I suspicious 1% of other “non- suspicious” pages uniformly at random from the same time period. rescore the original HTTP responses a fixed version of PageScorer

7 7

8 8 Attacks on client honeypot

9 9 Exploits encountered on the web

10 10 Javascript funtion calls

11 11 DOM fuctions

12 12 Malware distribution chain length

13 13 Cloaking sites & 2 methods comparation

14 14 2 methods comparation

15 15

16 16 Social Engineering is growing and poses challenges to VM-based honeypots JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines. AV Engines also suffer significantly from both false positives and false negatives. Finally, we see a rise in IP cloaking to thwart content-based detection schemes Summary

17 17 As our analysis is based on sites rather than individual web pages, we compute the average value for sites on which we encounter multiple web pages in a given month. Granularity

18 UTSA Thank You LI XU


Download ppt "Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig."

Similar presentations


Ads by Google