You've Changed: Detecting Malicious Browser Extensions through their Update Deltas

Pantelaios, Nikolaos; Nikiforakis, Nick; Kapravelos, Alexandros

doi:10.1145/3372297.3423343

Cited by 21 publications

(12 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have gathered evidence of online services data collection behaviors via longitudinal measurements across various platforms [34,17,1,42,31,48,44,30]. Analysis of mobile apps showed sensitive data, including PII [44], is collected and shared with third parties without user consent [31].…”

Section: Background and Related Workmentioning

confidence: 99%

Longitudinal Analysis of Privacy Labels in the Apple App Store

G.¹,

Ali²,

Wu³

et al. 2022

Preprint

View full text Add to dashboard Cite

In December of 2020, Apple started to require app developers to annotate their apps with privacy labels that indicate what data is collected and how it is used. We collected and analyzed 36 weekly snapshots of 1.6 million apps between July 15, 2021 and March 17, 2022 to better understand the privacy label ecosystem, the categories and types of data collected, and the purposes that developers used to justify that collection. Nearly two years after privacy labels launched, only 60.5% of apps have privacy labels, increasing by an average of 0.5% per week, mostly driven by new apps rather than older apps coming into compliance. Of apps with labels, 17.3% collect data used to track users, 37.6% collect data that is linked to a user identity, and 41.9% collect data that is not linked. Only 42.1% of apps with labels indicate that they do not collect any data. We find that because many apps indicate that they do not collect any data, even apps that would seem likely to collect or link data, trusting the veracity of privacy labels is still an open question.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Longitudinal Analysis of Privacy Labels in the Apple App Store

G.¹,

Ali²,

Wu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Next, security patches were identified so the code before and after patching could be collected, which generated an abstract vulnerability and corresponding patch signature. Compared to the sensor data collection method in Pantelaios et al (2020), approved collaborators produced the data instead of the public that is nonapproved and is not likely to have significant quality fluctuations.…”

Section: Literature Reviewmentioning

confidence: 99%

“…This could decrease the performance of trained models over time or allow models to detect only a specific type of malicious behavior. The work of (Hara & Shiomoto, 2020) showed that a small percentage of traditional labeled data gave comparable accuracy to those adversarial generated (Hara & Shiomoto, 2020). This could indicate the labeled data follows a distribution, leading to the model becoming vulnerable to adversarial attacks. Live data collection is used to collect up‐to‐date observations over time to curate a suitable dataset to evaluate longitudinal performance, which would otherwise not be possible with traditional datasets (Ah‐Fat et al, 2020; Lin & Liu, 2021; Oest et al, 2020; Pantelaios et al, 2020; Rendall et al, 2020). This can prevent outdated trends from becoming used in training and demonstrate long‐term performance, which is crucial for real‐world deployment. The conduction of attack campaigns and data capture allowed the evaluation of throughput and computational resources, such as memory and CPU consumption (P. Gao et al, 2018; X. Han et al, 2020).…”

Section: Literature Reviewmentioning

confidence: 99%

Toward situational awareness in threat detection. A survey

Rendall

Mylonas

Vidalis

2021

WIREs Forensic Science

View full text Add to dashboard Cite

The pervasiveness of the Internet did not come without security risk. The current threat landscape is characterized by the rise of sophisticated cyber attacks, which target user devices and corporate infrastructure. To tackle the risk of compromise, data-driven detection strategies have become increasingly mainstream. The relevant literature includes many works that leverage opensource datasets, supervised learning or, less commonly, unsupervised learning. However, advanced network attacks' spatial and temporal characteristics prove standalone threat detection systems inadequate, especially for detecting a multi-stage attack and often stealthy techniques. Moreover, attackers have been demonstrating adversarial effects that are caused by deception and contaminating data-driven methods with adversarial learning. For these reasons, recent research in threat detection is moving away from commonly, and often obsolete, datasets as well as adopting more multi-layered decision strategies.As such, this article provides a comprehensive review of decision strategies. We also examine their ability to support cyber situational awareness (CSA), providing to security analysts CSA properties such as situation assessment and system refinement.

show abstract

“…However, we observe that it is still possible for an attacker to hide malicious operations of an extension behind an innocuous functionality, trigger them at certain events or dynamically load the code at runtime and thus, could be successfully uploaded on the store, bypassing the security measures in place. Recently, Pantelaios et al [26] also showed that an extension could initially constitute benign functionalities and can later turn malicious by receiving updates, thus bypassing the initial screening. Hence, it is imperative to have an added line-of-defense at runtime to monitor and defend against such a specific class of attacks.…”

Section: Security Architecture Of Extensionsmentioning

confidence: 99%

“…Previous large-scale studies by various researchers indicate that they often spy on user browsing history, steals privacy-sensitive user information, or illegitimately modifies the content of Web pages [2,14,25,31]. Recent studies further assert that these man-in-the-browser entities are persistently abused in the wild and may have grave implications [26,27,32]. While these studies indicate that the extensions often intercept and modify the security headers at runtime, we emphasize that a systematic investigation is essential to determine, categorize and quantify the threats associated with them and propose effective countermeasures to tackle these vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

First, Do No Harm: Studying the manipulation of security headers in browser extensions

Agarwal¹,

Stock²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

We recently noticed a critical error with our measurement method. The problem originates from server-side randomness (that sometimes omits headers on a follow-up request) as well as a race condition in CDP/browser extensions. This leads to an unknown (yet likely quite high) number of false positives we report in the paper. See our blog post for details. Overall, since retroactively fixing the numbers is infeasible, the number of extensions reported in the paper must not be assumed to be correct. The following is the final version as was presented at the workshop. We leave it up nevertheless to allow others to better understand the technical aspects of our work, and to avoid they make similar mistakes.

show abstract

You've Changed: Detecting Malicious Browser Extensions through their Update Deltas

Cited by 21 publications

References 14 publications

Longitudinal Analysis of Privacy Labels in the Apple App Store

Longitudinal Analysis of Privacy Labels in the Apple App Store

Toward situational awareness in threat detection. A survey

First, Do No Harm: Studying the manipulation of security headers in browser extensions

Contact Info

Product

Resources

About