ABSTRACT
Malware writers are constantly looking for new vulnerabilities to exploit in popular software applications. A successful exploit of a previously unknown vulnerability, that evades state-of-the art anti-virus and intrusion-detection systems is called a zero-day vulnerability. JavaScript is a popular vehicle for testing and delivering attacks through drive-by downloads on web clients. Failed attack attempts leave traces of suspicious activity on victim machines. We present ZDVUE, a tool for automatic prioritization of suspicious JavaScript traces, which can lead to early detection of potential zero-day vulnerabilities. Our algorithm uses a combination of correlation analysis and mixture modeling for fast and robust prioritization of suspicious JavaScript samples.On data collected between June and November 2009, ZDVUE identified a new zero-day vulnerability and its variant in its top results, as well as revealed many new anti-virus signatures. ZDVUE is used in our organization on a routine basis to automatically filter, analyze, and prioritize thousands of downloaded JavaScript files, for information to update anti-virus signatures and to find new zero-day vulnerabilities.
- Agrawal, R., Imielinski, T., and Swami, A. Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD Conference on Management of Data (May 1993), pp. 207--216. Google ScholarDigital Library
- Bilmes, J. A gentle tutorial on the EM algorithm and its application to parameter estimation for gaussian mixture and hidden markov models. Tech. Rep. TR-97-021, International Computer Science Institute, Berkeley, California, Apr. 1997.Google Scholar
- Canali, D., Cova, M., Kruegel, C., and Vigna, G. Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In Proceedings of the World Wide Web Conference (WWW) (Hiderabad, India, March 2011). Google ScholarDigital Library
- CAPTURE. The honeynet project, Sept. 2008. https://projects.honeynet.org/capture-hpc.Google Scholar
- Chugh, R., Meister, J. A., Jhala, R., and Lerner, S. Staged information flow for javascript. In PLDI '09: Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation (2009). Google ScholarDigital Library
- Cova, M., Kruegel, C., and Vigna, G. Detection and analysis of drive-by-download attacks and malicious javascript code. In WWW '10: Proceedings of the 19th international conference on World wide web (2010). Google ScholarDigital Library
- Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. Zozzle: Low-overhead mostly static JavaScript malware detection. In Proceedings of the Usenix Security Symposium (Aug. 2011).Google Scholar
- Dhawan, M., and Ganapathy, V. Analyzing information flow in javascript-based browser extensions. In ACSAC'09: Proceedings of the 25th Annual Computer Security Applications Conference (Honolulu, Hawaii, USA, December 2009), IEEE Computer Society Press, Los Alamitos, California, USA, pp. 382--391. http://dx.doi.org/10.1109/ACSAC.2009.43. Google ScholarDigital Library
- Felmetsger, V., Cavedon, L., Kruegel, C., and Vigna, G. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the USENIX Security Symposium (Washington, DC, August 2010). Google ScholarDigital Library
- Franklin, J., Paxson, V., Savage, S., and Perrig, A. An inquiry into the nature and causes of the wealth of internet miscreants. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security (2007). Google ScholarDigital Library
- Guarnieri, S., and Livshits, B. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the Usenix Security Symposium (Aug. 2009). Google ScholarDigital Library
- Guruswami, V., and Raghavendra, P. Hardness of learning halfspaces with noise. In FOCS (2006), pp. 543--552. Google ScholarDigital Library
- Laxman, S., Naldurg, P., Sripada, R., and Venkatesan, R. Connections between mining frequent itemsets and learning generative models. In Proceedings of the Seventh IEEE International Conference on Data Mining ICDM 2007 (Omaha, Oct. 2007), pp. 571--576. Google ScholarDigital Library
- Louw, M. T., and Venkatakrishnan, V. N. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In IEEE Symposium on Security and Privacy (2009), IEEE Computer Society, pp. 331--346. Google ScholarDigital Library
- Maffeis, S., and Taly, A. Language-based isolation of untrusted javascript. In CSF '09: Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium (Washington, DC, USA, 2009), IEEE Computer Society, pp. 77--91. Google ScholarDigital Library
- Maloof, M. A. Machine Learning and Data Mining for Computer Security: Methods and Applications (Advanced Information and Knowledge Processing). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006. Google ScholarDigital Library
- Miller, C. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In In Sixth Workshop on the Economics of Information Security (2007).Google Scholar
- Mitre. Common vulnerabilities and exposures database. http://cve.mitre.org/.Google Scholar
- Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. Spyproxy: execution-based detection of malicious web content. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (Berkeley, CA, USA, 2007), USENIX Association, pp. 1--16. Google ScholarDigital Library
- Moshchuk, E., Bragin, T., Gribble, S. D., and Levy, H. M. A crawler-based study of spyware on the web. In NDSS (2006).Google Scholar
- Portokalidis, G., Slowinska, A., and Bos, H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40, 4 (2006). Google ScholarDigital Library
- Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. All your iframes point to us. In SS'08: Proceedings of the 17th conference on Security symposium (Berkeley, CA, USA, 2008), USENIX Association, pp. 1--15. Google ScholarDigital Library
- Ratanaworabhan, P., Livshits, B., and Zorn, B. Nozzle: A defense against heap-spraying code injection attacks. In Proceedings of the Usenix Security Symposium (Aug. 2009). Google ScholarDigital Library
- Rieck, K., Krueger, T., and Dewald, A. Cujo: efficient detection and prevention of drive-by-download attacks. In ACSAC (2010), pp. 31--39. Google ScholarDigital Library
- SANS. The top cyber security risks 2009, Sept. 2009. http://www.sans.org/top-cyber-security-risks/.Google Scholar
- Tipping-Point. The zero day initiative. http://www.zerodayinitiative.com/.Google Scholar
- Wang, Y.-M., Beck, D., Jian, X., and Roussev, R. Automated web patrol: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 13th Annual Symposium on Network and Distributed System security (NDSS'06), San Diego, USA (2006).Google Scholar
- Wang, Y.-M., Beck, D., Jiang, X., and Roussev, R. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In NDSS (2006).Google Scholar
- Wired.com. Threat level privacy, crime and security online previous post next post hack of google, adobe conducted through zero-day ie flaw. http://www.wired.com/threatlevel/2010/01/hack-of-adob.Google Scholar
Index Terms
- ZDVUE: prioritization of javascript attacks to discover new vulnerabilities
Recommendations
Prophiler: a fast filter for the large-scale detection of malicious web pages
WWW '11: Proceedings of the 20th international conference on World wide webMalicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and, subsequently, for creating large-scale botnets. In a drive-by-download exploit, an attacker embeds a malicious script (...
Malware‐SMELL: A zero‐shot learning strategy for detecting zero‐day vulnerabilities
AbstractOne of the most relevant security problems is inferring whether a program has malicious intent (malware software). Even though Antivirus is one of the most popular approaches for malware detection, new types of malware are released at a fast pace,...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Comments