Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections

Li, Zhou; Alrwais, Sumayah; Alowaisheq, Eihal

doi:10.1109/sp.2014.8

Cited by 28 publications

(23 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Methods of detecting website compromises that compare original web content to compromised web content have been proposed [12], [13]. Furthermore, TripWire [14], widely known as a compromise detection tool, can detect file operations, such as modification and deletion, by monitoring files on a web server.…”

Section: Problems With Conventional Methods For Compromised Website Rmentioning

confidence: 99%

“…For example, a comparison method [12] using HTML files as original content and a comparison method [13] using well known libraries and frameworks of JavaScript as original content have been proposed. Moreover, TripWire [14] can notify webmasters of changes on websites by e-mail when file operations are detected on a web server on which TripWire is installed.…”

Section: Detecting Compromised Websitesmentioning

confidence: 99%

See 1 more Smart Citation

Fine-Grained Analysis of Compromised Websites with Redirection Graphs and JavaScript Traces

Takata

Akiyama²,

Yagi³

et al. 2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAn incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites. In addition, it is difficult to analyze malicious websites across different client environments because these websites change behavior depending on a client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as malicious URL relations, the precise position of compromised web content, and the target range of client environments. In this paper, we propose a new method of constructing a redirection graph with context, such as which web content redirects to malicious websites. The proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. The result shows that our system successfully identified malicious URL relations and compromised web content, and the number of URLs and the amount of web content to be analyzed were sufficient for incident responders by 15.0% and 0.8%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This finegrained analysis by our system would contribute to improving the daily work of incident responders.

show abstract

Section: Problems With Conventional Methods For Compromised Website Rmentioning

confidence: 99%

Section: Detecting Compromised Websitesmentioning

confidence: 99%

Fine-Grained Analysis of Compromised Websites with Redirection Graphs and JavaScript Traces

Takata

Akiyama²,

Yagi³

et al. 2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Some common applications include detecting malicious websites [44], [48], automatically neutralizing malicious JavaScript code [18], [20], [28], [36], and filtering anomalies in more general data types that, in today's world, are usually acquire from the web [37], [38].…”

Section: Related Workmentioning

confidence: 99%

“…With respect to collecting representative samples from the web, while we are not aware of any work that samples directly from the PageRank distribution, several works on anomaly detection have employed crawl based methods for collecting data [20], [37], [36], [48]. It has been recognized that simply drawing webpages from a known list (i.e.…”

Section: Related Workmentioning

confidence: 99%

“…Fortuna focuses specifically on anomaly detection systems that handle data from browsing the Internet. This class of systems is very well studied and includes, for example, anomaly detectors that filter potentially anomalous video, images, and JavaScript files [18], [20], [28], [36], [38] or seek to filter entire malicious webpages [44], [47], [48]. Nevertheless, our approach is broad and we provide a general framework for building analysis systems for other classes of anomaly detectors.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Principled Sampling for Anomaly Detection

Juba

Musco

Long

et al. 2015

Proceedings 2015 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Anomaly detection plays an important role in protecting computer systems from unforeseen attack by automatically recognizing and filter atypical inputs. However, it can be difficult to balance the sensitivity of a detector -an aggressive system can filter too many benign inputs while a conservative system can fail to catch anomalies. Accordingly, it is important to rigorously test anomaly detectors to evaluate potential error rates before deployment. However, principled systems for doing so have not been studied -testing is typically ad hoc, making it difficult to reproduce results or formally compare detectors.To address this issue we present a technique and implemented system, Fortuna, for obtaining probabilistic bounds on false positive rates for anomaly detectors that process Internet data. Using a probability distribution based on PageRank and an efficient algorithm to draw samples from the distribution, Fortuna computes an estimated false positive rate and a probabilistic bound on the estimate's accuracy. By drawing test samples from a well defined distribution that correlates well with data seen in practice, Fortuna improves on ad hoc methods for estimating false positive rate, giving bounds that are reproducible, comparable across different anomaly detectors, and theoretically sound.Experimental evaluations of three anomaly detectors (SIFT, SOAP, and JSAND) show that Fortuna is efficient enough to use in practice -it can sample enough inputs to obtain tight false positive rate bounds in less than 10 hours for all three detectors. These results indicate that Fortuna can, in practice, help place anomaly detection on a stronger theoretical foundation and help practitioners better understand the behavior and consequences of the anomaly detectors that they deploy.As part of our work, we obtain a theoretical result that may be of independent interest: We give a simple analysis of the convergence rate of the random surfer process defining PageRank that guarantees the same rate as the standard, second-eigenvalue analysis, but does not rely on any assumptions about the link structure of the web.

show abstract