ARROW: Generating signatures to detect drive-by downloads

Junjie Zhang, Christian Seifert, Jack W. Stokes, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

A drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user’s consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, exploits, and malware executables. In this paper, we provide a new method to determine these MDNs from the secondary URLs and redirect chains recorded by a high-interaction client honeypot. In addition, we propose a novel drive-by download detection method. Instead of depending on the malicious content used by previous methods, our algorithm first identifies and then leverages the URL s of the MDN’s central servers , where a central server is a common server shared by a large percentage of the drive-by download attacks in the same MDN. A set of regular expression-based signatures are then generated based on the URLs of each central server. This method allows additional malicious webpages to be identified which launched but failed to execute a successful drive-by download attack. The new drive-by detection system named ARROW has been implemented, and we provide a large-scale evaluation on the output of a production drive-by detection system. The experimental results demonstrate the effectiveness of our method, where the detection coverage has been boosted by 96% with an extremely low false positive rate.

Original languageEnglish
Title of host publicationProceedings of the 20th International Conference on World Wide Web, WWW 2011
PublisherPubl by ACM
Pages187-196
Number of pages10
ISBN (Print)9781450306324
DOIs
StatePublished - Mar 28 2011
Externally publishedYes
Event20th International Conference on World Wide Web, WWW 2011 - Hyderabad, India
Duration: Mar 28 2011Apr 1 2011

Conference

Conference20th International Conference on World Wide Web, WWW 2011
Country/TerritoryIndia
CityHyderabad
Period3/28/114/1/11

ASJC Scopus Subject Areas

  • Computer Networks and Communications

Keywords

  • Detection
  • Drive-by download
  • Malware distribution network
  • Signature generation

Disciplines

  • Computer Sciences
  • Engineering

Cite this