Fine-grained analysis of compromised websites with redirection graphs and JavaScript traces

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Shigeki Goto

    Research output: Contribution to journalArticle

    1 Citation (Scopus)

    Abstract

    An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites. In addition, it is difficult to analyze malicious websites across different client environments because these websites change behavior depending on a client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as malicious URL relations, the precise position of compromised web content, and the target range of client environments. In this paper, we propose a new method of constructing a redirection graph with context, such as which web content redirects to malicious websites. The proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. The result shows that our system successfully identified malicious URL relations and compromised web content, and the number of URLs and the amount of web content to be analyzed were sufficient for incident responders by 15.0% and 0.8%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This finegrained analysis by our system would contribute to improving the daily work of incident responders.

    Original languageEnglish
    Pages (from-to)1714-1728
    Number of pages15
    JournalIEICE Transactions on Information and Systems
    VolumeE100D
    Issue number8
    DOIs
    Publication statusPublished - 2017 Aug 1

    Fingerprint

    Websites
    World Wide Web

    Keywords

    • Compromised website
    • Drive-by download
    • Program trace
    • Redirection graph

    ASJC Scopus subject areas

    • Software
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition
    • Artificial Intelligence
    • Electrical and Electronic Engineering

    Cite this

    Fine-grained analysis of compromised websites with redirection graphs and JavaScript traces. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Yada, Takeshi; Goto, Shigeki.

    In: IEICE Transactions on Information and Systems, Vol. E100D, No. 8, 01.08.2017, p. 1714-1728.

    Research output: Contribution to journalArticle

    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Yada, Takeshi ; Goto, Shigeki. / Fine-grained analysis of compromised websites with redirection graphs and JavaScript traces. In: IEICE Transactions on Information and Systems. 2017 ; Vol. E100D, No. 8. pp. 1714-1728.
    @article{16091e11a13d4742a79ff9409976fdaf,
    title = "Fine-grained analysis of compromised websites with redirection graphs and JavaScript traces",
    abstract = "An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites. In addition, it is difficult to analyze malicious websites across different client environments because these websites change behavior depending on a client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as malicious URL relations, the precise position of compromised web content, and the target range of client environments. In this paper, we propose a new method of constructing a redirection graph with context, such as which web content redirects to malicious websites. The proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. The result shows that our system successfully identified malicious URL relations and compromised web content, and the number of URLs and the amount of web content to be analyzed were sufficient for incident responders by 15.0{\%} and 0.8{\%}, respectively. Furthermore, it can also identify the target range of client environments in 30.4{\%} of websites and a vulnerability that has been used in malicious websites by leveraging target information. This finegrained analysis by our system would contribute to improving the daily work of incident responders.",
    keywords = "Compromised website, Drive-by download, Program trace, Redirection graph",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeshi Yada and Shigeki Goto",
    year = "2017",
    month = "8",
    day = "1",
    doi = "10.1587/transinf.2016ICP0011",
    language = "English",
    volume = "E100D",
    pages = "1714--1728",
    journal = "IEICE Transactions on Information and Systems",
    issn = "0916-8532",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "8",

    }

    TY - JOUR

    T1 - Fine-grained analysis of compromised websites with redirection graphs and JavaScript traces

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Yada, Takeshi

    AU - Goto, Shigeki

    PY - 2017/8/1

    Y1 - 2017/8/1

    N2 - An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites. In addition, it is difficult to analyze malicious websites across different client environments because these websites change behavior depending on a client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as malicious URL relations, the precise position of compromised web content, and the target range of client environments. In this paper, we propose a new method of constructing a redirection graph with context, such as which web content redirects to malicious websites. The proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. The result shows that our system successfully identified malicious URL relations and compromised web content, and the number of URLs and the amount of web content to be analyzed were sufficient for incident responders by 15.0% and 0.8%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This finegrained analysis by our system would contribute to improving the daily work of incident responders.

    AB - An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites. In addition, it is difficult to analyze malicious websites across different client environments because these websites change behavior depending on a client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as malicious URL relations, the precise position of compromised web content, and the target range of client environments. In this paper, we propose a new method of constructing a redirection graph with context, such as which web content redirects to malicious websites. The proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. The result shows that our system successfully identified malicious URL relations and compromised web content, and the number of URLs and the amount of web content to be analyzed were sufficient for incident responders by 15.0% and 0.8%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This finegrained analysis by our system would contribute to improving the daily work of incident responders.

    KW - Compromised website

    KW - Drive-by download

    KW - Program trace

    KW - Redirection graph

    UR - http://www.scopus.com/inward/record.url?scp=85026550596&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85026550596&partnerID=8YFLogxK

    U2 - 10.1587/transinf.2016ICP0011

    DO - 10.1587/transinf.2016ICP0011

    M3 - Article

    AN - SCOPUS:85026550596

    VL - E100D

    SP - 1714

    EP - 1728

    JO - IEICE Transactions on Information and Systems

    JF - IEICE Transactions on Information and Systems

    SN - 0916-8532

    IS - 8

    ER -