MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

    研究成果: Conference contribution

    5 引用 (Scopus)

    抄録

    Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    元の言語English
    ホスト出版物のタイトルProceedings - International Computer Software and Applications Conference
    出版者IEEE Computer Society
    ページ444-449
    ページ数6
    2
    ISBN(印刷物)9781467365635
    DOI
    出版物ステータスPublished - 2015 9 21
    イベント39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015 - Taichung, Taiwan, Province of China
    継続期間: 2015 7 12015 7 5

    Other

    Other39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015
    Taiwan, Province of China
    Taichung
    期間15/7/115/7/5

    Fingerprint

    Websites
    Web browsers
    Communication

    ASJC Scopus subject areas

    • Computer Science Applications
    • Software

    これを引用

    Takata, Y., Akiyama, M., Yagi, T., Hariu, T., & Goto, S. (2015). MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. : Proceedings - International Computer Software and Applications Conference (巻 2, pp. 444-449). [7273652] IEEE Computer Society. https://doi.org/10.1109/COMPSAC.2015.76

    MineSpider : Extracting URLs from Environment-Dependent Drive-by Download Attacks. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Hariu, Takeo; Goto, Shigeki.

    Proceedings - International Computer Software and Applications Conference. 巻 2 IEEE Computer Society, 2015. p. 444-449 7273652.

    研究成果: Conference contribution

    Takata, Y, Akiyama, M, Yagi, T, Hariu, T & Goto, S 2015, MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. : Proceedings - International Computer Software and Applications Conference. 巻. 2, 7273652, IEEE Computer Society, pp. 444-449, 39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015, Taichung, Taiwan, Province of China, 15/7/1. https://doi.org/10.1109/COMPSAC.2015.76
    Takata Y, Akiyama M, Yagi T, Hariu T, Goto S. MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. : Proceedings - International Computer Software and Applications Conference. 巻 2. IEEE Computer Society. 2015. p. 444-449. 7273652 https://doi.org/10.1109/COMPSAC.2015.76
    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Hariu, Takeo ; Goto, Shigeki. / MineSpider : Extracting URLs from Environment-Dependent Drive-by Download Attacks. Proceedings - International Computer Software and Applications Conference. 巻 2 IEEE Computer Society, 2015. pp. 444-449
    @inproceedings{bdfd58fa36314505a976b729c64b2064,
    title = "MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks",
    abstract = "Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.",
    keywords = "Code analysis, Drive-by download, Honeyclient, Program slicing",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeo Hariu and Shigeki Goto",
    year = "2015",
    month = "9",
    day = "21",
    doi = "10.1109/COMPSAC.2015.76",
    language = "English",
    isbn = "9781467365635",
    volume = "2",
    pages = "444--449",
    booktitle = "Proceedings - International Computer Software and Applications Conference",
    publisher = "IEEE Computer Society",

    }

    TY - GEN

    T1 - MineSpider

    T2 - Extracting URLs from Environment-Dependent Drive-by Download Attacks

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Hariu, Takeo

    AU - Goto, Shigeki

    PY - 2015/9/21

    Y1 - 2015/9/21

    N2 - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    AB - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    KW - Code analysis

    KW - Drive-by download

    KW - Honeyclient

    KW - Program slicing

    UR - http://www.scopus.com/inward/record.url?scp=84962137584&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84962137584&partnerID=8YFLogxK

    U2 - 10.1109/COMPSAC.2015.76

    DO - 10.1109/COMPSAC.2015.76

    M3 - Conference contribution

    AN - SCOPUS:84962137584

    SN - 9781467365635

    VL - 2

    SP - 444

    EP - 449

    BT - Proceedings - International Computer Software and Applications Conference

    PB - IEEE Computer Society

    ER -