Investigating Web Defacement Campaigns at Large

Maggi, Federico; Balduzzi, Marco; Flores, Ryan; Gu, Lion; Ciancaglini, Vincenzo

doi:10.1145/3196494.3196542

Cited by 20 publications

(19 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This may allow for some useful counteraction, such as raising an alarm, blocking malicious content, or simply switching to higher protection thresholds and more verbose logs. For examples and surveys of applications, see [11][12][13][14][15][16][17][18].…”

Section: Definition and Frameworkmentioning

confidence: 99%

“…Applications of keyed learning fall within the scope of exploratory adversarial learning [2]. This context is generally appropriate for anomaly detection, which comprises several application domains, including intrusion detection [3,5,6,14,25,33,34], attack and malware analysis [7,16,[35][36][37], defacement response [8,17,38,39], Web promotional infection detection [40], and biometric and continuous user authentication [11,18].…”

Section: Applicationsmentioning

confidence: 99%

See 1 more Smart Citation

Keyed learning: An adversarial learning framework—formalization, challenges, and anomaly detection applications

Bergadano

2019

ETRI Journal

View full text Add to dashboard Cite

We propose a general framework for keyed learning, where a secret key is used as an additional input of an adversarial learning system. We also define models and formal challenges for an adversary who knows the learning algorithm and its input data but has no access to the key value. This adversarial learning framework is subsequently applied to a more specific context of anomaly detection, where the secret key finds additional practical uses and guides the entire learning and alarm‐generating procedure.

show abstract

Section: Definition and Frameworkmentioning

confidence: 99%

Section: Applicationsmentioning

confidence: 99%

Keyed learning: An adversarial learning framework—formalization, challenges, and anomaly detection applications

Bergadano

2019

ETRI Journal

View full text Add to dashboard Cite

show abstract

“…Related work has extensively studied how and why attackers compromise websites through the exploitation of software vulnerabilities [16,18], misconfigurations [23], inclusion of third-party scripts [48], and advertisements [75]. Traditionally, the attackers' goals ranged from website defacements [17,42], over enlisting the website's visitors into distributed denial-of-service (DDoS) attacks [53], to the installation of exploit kits for drive-by download attacks [30,55,56], which infect visitors with malicious executables. In comparison, the abuse of the visitors' resources for cryptomining is a relatively new trend.…”

Section: Related Workmentioning

confidence: 99%

MineSweeper

Konoth

Vineti

Moonsamy

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

100

View full text Add to dashboard Cite

A wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies' market value has led to the development of cryptocurrency mining (cryptomining) services, such as Coinhive, which can be easily integrated into websites to monetize the computational power of their visitors. While legitimate website operators are exploring these services as an alternative to advertisements, they have also drawn the attention of cybercriminals: drive-by mining (also known as cryptojacking) is a new web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssembly module in the user's browser to mine cryptocurrencies without her consent. In this paper, we perform a comprehensive analysis on Alexa's Top 1 Million websites to shed light on the prevalence and profitability of this attack. We study the websites affected by drive-by mining to understand the techniques being used to evade detection, and the latest web technologies being exploited to efficiently mine cryptocurrency. As a result of our study, which covers 28 Coinhive-like services that are widely being used by drive-by mining websites, we identified 20 active cryptomining campaigns. Motivated by our findings, we investigate possible countermeasures against this type of attack. We discuss how current blacklisting approaches and heuristics based on CPU usage are insufficient, and present MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation. Our approach could be integrated into browsers to warn users about silent cryptomining when visiting websites that do not ask for their consent. CCS CONCEPTS • Security and privacy → Browser security; Malware and its mitigation; • Social and professional topics → Computer crime;

show abstract

“…Defacement detection can be addressed as an anomaly detection problem: defaced Web content can be labeled as anomalous, based on a classifier that is learned from previously available examples [1,2,5,17]. However, this is not normally sufficient, because an adversary may observe the alarm-raising behaviour of the anomaly detector, and try to find wanted defacements that will escape detection.…”

Section: Introductionmentioning

confidence: 99%

Defacement Detection with Passive Adversaries

Bergadano

Carretto²,

Cogno³

et al. 2019

Algorithms

View full text Add to dashboard Cite

A novel approach to defacement detection is proposed in this paper, addressing explicitly the possible presence of a passive adversary. Defacement detection is an important security measure for Web Sites and Applications, aimed at avoiding unwanted modifications that would result in significant reputational damage. As in many other anomaly detection contexts, the algorithm used to identify possible defacements is obtained via an Adversarial Machine Learning process. We consider an exploratory setting, where the adversary can observe the detector's alarm-generating behaviour, with the purpose of devising and injecting defacements that will pass undetected. It is then necessary to make to learning process unpredictable, so that the adversary will be unable to replicate it and predict the classifier's behaviour. We achieve this goal by introducing a secret key-a key that our adversary does not know. The key will influence the learning process in a number of different ways, that are precisely defined in this paper. This includes the subset of examples and features that are actually used, the time of learning and testing, as well as the learning algorithm's hyper-parameters. This learning methodology is successfully applied in this context, by using the system with both real and artificially modified Web sites. A year-long experimentation is also described, referred to the monitoring of the new Web Site of a major manufacturing company.

show abstract

Investigating Web Defacement Campaigns at Large

Cited by 20 publications

References 4 publications

Keyed learning: An adversarial learning framework—formalization, challenges, and anomaly detection applications

Keyed learning: An adversarial learning framework—formalization, challenges, and anomaly detection applications

MineSweeper

Defacement Detection with Passive Adversaries

Contact Info

Product

Resources

About