Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Best of 2016 Recommended by Editor Recommended by Reviewer Recommended by Reader
Search
Automatic extraction of indicators of compromise for web applications
Catakoglu O., Balduzzi M., Balzarotti D.  WWW 2016 (Proceedings of the 25th International Conference on the World Wide Web, Montréal, Québec, Canada, Apr 11-15, 2016)333-343.2016.Type:Proceedings
Date Reviewed: Sep 8 2016

Small, harmless scripts can help identify compromised websites that have remained undetected for years. By analyzing external components used by attackers to make a compromised page run smoothly, for example JavaScript libraries or scripts to implement visual effects, and searching online for these web indicators of compromise (WIOC), the authors were able to identify a large number of compromised websites that are not detected by antivirus scanners and other means. Attackers often do not install the external components directly on the web pages but rather host them on external repositories and link to them, which makes it easier to update them without having to modify each page.

Using data from a high-interaction honeypot virtual machine, the authors collected compromised pages and extracted JavaScript URLs from them, which were analyzed in context to extract good candidate indicators. They searched for other occurrences of the candidate indicators identified and extracted the following features: page similarity, maliciousness, anomalous origin, component popularity, and mentions in security forums. They then applied an unsupervised learning algorithm to cluster the results.

In collaboration with an antivirus vendor, 96 WIOCs used only by attackers were crosschecked against a web telemetry dataset to determine how frequently real users interact with them. Over 90 percent of the WIOCs were previously unknown to the vendor or considered benign and only 5.3 percent of web pages containing an indicator were detected as infected by at least one antivirus product, implying that this method could substantially improve detection rates.

The authors discuss a number of case studies from their set of 96 indicators, showing different scenarios and different types of malicious activity, including affiliate programs and adware banners, web shells, spam mailers, and phishing sites. They also found that a considerable number of the identified WIOCs were hosted in public code repositories such as Google Code.

The paper presents a prototype method that was derived from a large dataset, tested over four months, and checked against real user data. The authors also discuss related work on compromised website detection and indicators of compromise used in traditional systems, and note that theirs is the first paper on web indicators of compromise.

This is a refreshing and novel approach that, if properly applied, might have a considerable impact on malware detection, especially for newly compromised pages that have yet to be blacklisted. It certainly is an excellent example of thinking outside the box.
Reviewer:  Edgar R. Weippl Review #: CR144739 (1612-0913)
Bookmark and Share
  Editor Recommended
Featured Reviewer 		 
 
World Wide Web (WWW) (H.3.4 ... )
 
 
Security, Integrity, And Protection (H.2.7 ... )
 
 
Unauthorized Access (K.6.5 ... )
 
Would you recommend this review?
yes
no
Other reviews under "World Wide Web (WWW)": Date
Intranet document management
Bannan J., Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1997. Type: Book (9780201873795)		 Feb 1 1998
Developing databases for the Web and intranets
Rodley J., Coriolis Group Books, Scottsdale, AZ, 1997. Type: Book (9781576100516)		 Jun 1 1998
1001 programming resources
Edward J. J., Jamsa Press, Houston, TX, 1996. Type: Book (9781884133503)		 Apr 1 1998
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy