Website forensic investigation to identify evidence and impact of compromise

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    3 Citations (Scopus)

    Abstract

    Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.

    Original languageEnglish
    Title of host publicationSecurity and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings
    PublisherSpringer Verlag
    Pages431-453
    Number of pages23
    Volume198 LNICST
    ISBN (Print)9783319596075
    DOIs
    Publication statusPublished - 2017
    Event12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016 - Guangzhou, China
    Duration: 2016 Oct 102016 Oct 12

    Publication series

    NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
    Volume198 LNICST
    ISSN (Print)1867-8211

    Other

    Other12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016
    CountryChina
    CityGuangzhou
    Period16/10/1016/10/12

    Fingerprint

    Websites
    World Wide Web

    Keywords

    • Compromised website
    • Drive-by download
    • Redirection graph

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Cite this

    Takata, Y., Akiyama, M., Yagi, T., Yada, T., & Goto, S. (2017). Website forensic investigation to identify evidence and impact of compromise. In Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings (Vol. 198 LNICST, pp. 431-453). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 198 LNICST). Springer Verlag. https://doi.org/10.1007/978-3-319-59608-2_25

    Website forensic investigation to identify evidence and impact of compromise. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Yada, Takeshi; Goto, Shigeki.

    Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. Vol. 198 LNICST Springer Verlag, 2017. p. 431-453 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 198 LNICST).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Takata, Y, Akiyama, M, Yagi, T, Yada, T & Goto, S 2017, Website forensic investigation to identify evidence and impact of compromise. in Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. vol. 198 LNICST, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 198 LNICST, Springer Verlag, pp. 431-453, 12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016, Guangzhou, China, 16/10/10. https://doi.org/10.1007/978-3-319-59608-2_25
    Takata Y, Akiyama M, Yagi T, Yada T, Goto S. Website forensic investigation to identify evidence and impact of compromise. In Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. Vol. 198 LNICST. Springer Verlag. 2017. p. 431-453. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). https://doi.org/10.1007/978-3-319-59608-2_25
    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Yada, Takeshi ; Goto, Shigeki. / Website forensic investigation to identify evidence and impact of compromise. Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings. Vol. 198 LNICST Springer Verlag, 2017. pp. 431-453 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).
    @inproceedings{07d9fe0a21de44e99a14329de47b43e1,
    title = "Website forensic investigation to identify evidence and impact of compromise",
    abstract = "Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8{\%} and 15.0{\%}, respectively. Furthermore, it can also identify the target range of client environments in 30.4{\%} of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.",
    keywords = "Compromised website, Drive-by download, Redirection graph",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeshi Yada and Shigeki Goto",
    year = "2017",
    doi = "10.1007/978-3-319-59608-2_25",
    language = "English",
    isbn = "9783319596075",
    volume = "198 LNICST",
    series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",
    publisher = "Springer Verlag",
    pages = "431--453",
    booktitle = "Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings",
    address = "Germany",

    }

    TY - GEN

    T1 - Website forensic investigation to identify evidence and impact of compromise

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Yada, Takeshi

    AU - Goto, Shigeki

    PY - 2017

    Y1 - 2017

    N2 - Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.

    AB - Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.

    KW - Compromised website

    KW - Drive-by download

    KW - Redirection graph

    UR - http://www.scopus.com/inward/record.url?scp=85021741118&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85021741118&partnerID=8YFLogxK

    U2 - 10.1007/978-3-319-59608-2_25

    DO - 10.1007/978-3-319-59608-2_25

    M3 - Conference contribution

    AN - SCOPUS:85021741118

    SN - 9783319596075

    VL - 198 LNICST

    T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

    SP - 431

    EP - 453

    BT - Security and Privacy in Communication Networks -12th International Conference, SecureComm 2016, Proceedings

    PB - Springer Verlag

    ER -