Website forensic investigation to identify evidence and impact of compromise

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    3 Citations (Scopus)

    Abstract

    Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.

    Original languageEnglish
    Title of host publicationSecurity and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
    PublisherSpringer Verlag
    Pages431-453
    Number of pages23
    Volume198 LNICST
    ISBN (Print)9783319596075
    DOIs
    Publication statusPublished - 2017
    Event12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 - Guangzhou, China
    Duration: 2016 Oct 102016 Oct 12

    Publication series

    NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
    Volume198 LNICST
    ISSN (Print)1867-8211

    Other

    Other12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016
    CountryChina
    CityGuangzhou
    Period16/10/1016/10/12

    Keywords

    • Compromised website
    • Drive-by download
    • Redirection graph

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Fingerprint Dive into the research topics of 'Website forensic investigation to identify evidence and impact of compromise'. Together they form a unique fingerprint.

  • Cite this

    Takata, Y., Akiyama, M., Yagi, T., Yada, T., & Goto, S. (2017). Website forensic investigation to identify evidence and impact of compromise. In Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings (Vol. 198 LNICST, pp. 431-453). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 198 LNICST). Springer Verlag. https://doi.org/10.1007/978-3-319-59608-2_25