Uploaded bymori_tatsuya
PDF, PPTX2,849 views

AutoBLG by Sun Bo

This document proposes the AutoBLG framework to automatically generate URL blacklists. It has three main components: 1) URL Expansion uses existing malicious URLs to expand the search space through preprocessing, passive DNS databases, search engines and web crawlers. 2) URL Filtration reduces the expanded URLs using machine learning classifiers trained on HTML features and similarity searches. 3) URL Verification checks the filtered URLs for drive-by downloads using a honeypot, antivirus software, and VirusTotal. The framework achieved a 99% reduction in URLs to verify while still finding new malicious URLs not in blacklists.

Embed presentation

Download as PDF, PPTX
1 AutoBLG: Automatic URL Blacklist Generator Using Search Space Expansion and Filters Bo Sun1,Mitsuaki Akiyama2,Takeshi Yagi2,     Mitsuhiro Hatada1,Tatsuya Mori1 1,Waseda University 2,NTT Secure Platform Laboratories IEEE  ISCC  2015
Background(1) •  The estimated number of drive-by-download attacks is 4.3 M per day 2   7% 93% The  number  of  web-­‐based  a1acks   other  a0acks   drive-­‐by-­‐download  a0ack  
Background(2) •  What is Drive-by-download attack 3   user Landing page URL        Exploit URL    Malware download URL     download malware automatically exploit vulnerabilities Click on URL
Background(3) •  What is URL Blacklist 4   user Landing page URL          Exploit URL   Malware download URL Landing page URL Exploit URL URL Blacklist Matching Block Malware download URL
Background(4) •  However, URL Blacklist cannot cope with previously unseen malicious URLs •  It is crucial to keep the URLs updated to make a URL blacklist effective 5   To collect fresh malicious URLs
Background(5) 6   30 trillion unique URLs Wild Internet Web client honeypot Scan
7   Goal • Our main objective is to accelerate the process of generating a URL blacklist automatically. Idea Existing Malicious URLs New Malicious URLs Search Space Filter (Machine Learning) Expansion Reduction Input: Output:
AutoBLG Framework •  Three primary components: 8   Img  from  h0p://www.itguyswa.com.au/free-­‐anJvirus-­‐protecJon/                                      h0ps://www.virustotal.com/ja/                                      h0p://www.soumu.go.jp/main_content/000174846.pdf 8   URL Expansion URL Flirtation 8   URL Verification
URL Expansion(1)Seed 9   http://2339XXX.net/main http://auth.veXXXXX.com Seed Pre- processing Passive DNS Database Search Engine Web Crawler
URL Expansion(2)Pre-processing 10   11X.5X.1XX.XX4 2X.XXX.X99.X2 Seed Pre- processing Passive DNS Database Search Engine Web Crawler
URL Expansion(3) Passive DNS Database 11   sediscoXXXXXX.gruXXX.com vorXXXXXXX.zdjecXXXki.com Seed Pre- processing Passive DNS Database Search Engine Web Crawler
URL Expansion(4) Search Engine and Web Crawler 12   http://100XXXXXwebcam.bXXX.pl/island-XXX-wXX.html http://100XXXXXwebcam.bXXX.pl/isteam-XXXX.html Seed Pre- processing Passive DNS Database Search Engine Web Crawler
URL Filrtation 13  Img from http://www.primalsecurity.net/0xc-python-tutorial-python-malware/ Existing Malicious URLs Unknown URLs Similarity Search HTML Features Bayesian sets
URL Verification •  Three tools for verification of drive-by- download attacks   Ø Web Client honeypot Marionette Ø Antivirus Software Ø Virustotal online service 14  
Performance Evaluation 15   •  The number of URL Expansion data: 59,394 •  No URL Filtration: more than 100 hours •  URL Filtration in use: approximately 6 hours To accelerate the process of generating blacklist URLs by adopting a high performance filter
Results(1) 16   Web client honeypot Antivirus software Virustotal 1.16% 3.8% 16.5% •  Web Client Honeypot : definitely malicious Ø  it contained redirecting to the exploit web pages •  Antivirus Software : highly suspicious Ø  they contained several HTTP objects that were detected by the antivirus checkers; (malicious JavaScript or executable malware) •  VirusTotal : suspicious Ø  need further manual inspection
Results(2) •  some URLs are identified by multiple tools •  After eliminating duplications, of the 600 of extracted URLs, 106 URLs were detected as malicious or suspicious •  Of the discovered 106 URLs, seven URLs are completely new URLs that have not been listed in the VirusTotal 17  
Limitation and future work
 18   Item Limitation Future work Search Engine Only get Top-50 search results To accelerate web search engine process Web Crawler evaded by ‘cloaking techniques’ To develop more sophisticated tools Query Pattern Miss several malicious URLs To increase the number of query patterns URL Verification Only two version of browser or plug-in To adopt a low- interaction honeypot Online operation Not fully online due to URL Expansion part To pipeline URL expansion step
Summary •  We have proposed the AutoBLG framework Ø  light-weight Ø  new and previously unknown drive-by-download URLs Ø  other suspicious URLs that need for further analysis   •  Key ideas Ø  the use of search space expansion and filters •  We proposed a high-performance filter Ø  it reduced number of URLs to be investigated with the dynamic analysis systems by 99% Ø  while successfully finding new URLs that have not been listed in the widely used popular URL reputation system 19  
Thank you for your listening 20
URL Filtration(1)Feature Extraction 21   HTML Feature Difference with pervious works The number of elements with a small area Frameset tags border,frameborder,framespacing The number of suspicious word in the script’s content some strings such as shellcode ,shcode. The number of URLs with a different domain Only count URL with different domain.     The number of iframe and frame tags       same The number of hidden elements The number of meta refresh tags The number of out-of-place elements The number of embed and object tags The presence of unescape behavior The number of setTimeout functions
URL Filtration(2)Similarity Search 22   Similarity Search: Bayesian Sets From web space Toyota Nissan Honda BMW Ford Audi Mitsubishi Mazda Volkswagen Google Sets From all unknown URLs Adopting several existing malicious URL as query (Malicious URLs that are created with same Exploit Kit) To output all URLs’ Score in descending order. The higher score is, the more probably URL is Malicious 22  
The range of experiment 23   Preliminary Experiment Performance Evaluation URL Expansion URL Filtration URL Verification •Commercial blacklist •Pre-processing •Passive DNS database •Search Engine •Web crawler •Feature Extraction •Similarity Search •Web Client Honeypot •Antivirus Software •VirusTotal Steps in URL Expansion Steps in URL Filtration Tools in URL Verification 23  
Preliminary Experiment 24   100 101 102 103 Top-K URLs 0 1 2 3 ThenumberofMaliciousURLs Query Pattern1 Query Pattern2 •  Experiment Data Ø  The number of benign URLs:10,000 Ø  The number of malicious URLs:6 •  Experiment Result Ø  The two query patterns identify different three malicious URLs in top 300 scores respectively and extract all the six malicious URLs totally Ø  we considered the top 300 scores as the   threshold for URL filtration. 24  

More Related Content

PDF
Common Web Application Attacks
byAhmed Sherif
 
PPTX
Application Security Tools
byLalit Kale
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
Deep dive into ssrf
byn|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
byClubHack
 
PDF
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
PPT
IronSAP
byPrasanna Kanagasabai
 
Common Web Application Attacks
byAhmed Sherif
 
Application Security Tools
byLalit Kale
 
Api security-testing
byn|u - The Open Security Community
 
Deep dive into ssrf
byn|u - The Open Security Community
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
byClubHack
 
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
IronSAP
byPrasanna Kanagasabai
 

What's hot

PPTX
Detection of Phishing Websites
byNikhil Soni
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
PPTX
Dive in burpsuite
byNadim Kadiwala
 
PPTX
Web application attacks
byhruth
 
PDF
資料科學在 Whoscall 產品體系中的角色
by台灣資料科學年會
 
PDF
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
PDF
How To Webinar - Sumo Logic API
bySumo Logic
 
PDF
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PPTX
Sumo Logic QuickStart Webinar - Get Certified
bySumo Logic
 
PDF
What should I do when my website got hack?
bySumedt Jitpukdebodin
 
PPSX
Scaling-up and Automating Web Application Security Tech Talk
byNetsparker
 
PPTX
An experiment in agile threat modelling
byDevSecCon
 
PDF
Secure Web Services
byRob Daigneau
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
PDF
Workshop : Application Security
byPriyanka Aash
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
Detection of Phishing Websites
byNikhil Soni
 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
Dive in burpsuite
byNadim Kadiwala
 
Web application attacks
byhruth
 
資料科學在 Whoscall 產品體系中的角色
by台灣資料科學年會
 
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
How To Webinar - Sumo Logic API
bySumo Logic
 
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
Sumo Logic QuickStart Webinar - Get Certified
bySumo Logic
 
What should I do when my website got hack?
bySumedt Jitpukdebodin
 
Scaling-up and Automating Web Application Security Tech Talk
byNetsparker
 
An experiment in agile threat modelling
byDevSecCon
 
Secure Web Services
byRob Daigneau
 
Pentesting RESTful webservices
byMohammed A. Imran
 
Secure Your REST API (The Right Way)
byStormpath
 
Workshop : Application Security
byPriyanka Aash
 
Building an API Security Ecosystem
byPrabath Siriwardena
 

Similar to AutoBLG by Sun Bo

PDF
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
PDF
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
byBishop Fox
 
PDF
USING BLACK-LIST AND WHITE-LIST TECHNIQUE TO DETECT MALICIOUS URLS
byAM Publications,India
 
PDF
MALICIOUS URL DETECTION USING CONVOLUTIONAL NEURAL NETWORK
byijcseit
 
PDF
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
byMarco Balduzzi
 
PDF
Malicious Link Detection System
byIRJET Journal
 
PPTX
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
PPTX
detection of malicious URLs.pptx
bymanash40
 
PPTX
Malicious url detection using machine learning
byCysinfo Cyber Security Community
 
PPT
Fight fire with fire draft
byNishant Agrawal
 
PDF
Improving spam detection with automaton
byAntonio Costa aka Cooler_
 
PDF
State of the Art Analysis Approach for Identification of the Malignant URLs
byIOSRjournaljce
 
PDF
Lord of the bing b-sides atl
bySecurity B-Sides
 
PDF
ChongLiu-MaliciousURLDetection
byDaniel Liu
 
PDF
Detecting malicious URLs using binary classification through ada boost algori...
byIJECEIAES
 
PDF
MALICIOUS URL DETECTION USING CONVOLUTIONAL NEURAL NETWORK
byijcseit
 
PDF
IRJET- Detecting Malicious URLS using Machine Learning Techniques: A Comp...
byIRJET Journal
 
PPTX
BrightonSEO
byRichard Falconer
 
PDF
Classification Model to Detect Malicious URL via Behaviour Analysis
byEditor IJCATR
 
PDF
Ista presentation-malicious url
byvinaykumar R
 
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
byBishop Fox
 
USING BLACK-LIST AND WHITE-LIST TECHNIQUE TO DETECT MALICIOUS URLS
byAM Publications,India
 
MALICIOUS URL DETECTION USING CONVOLUTIONAL NEURAL NETWORK
byijcseit
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
byMarco Balduzzi
 
Malicious Link Detection System
byIRJET Journal
 
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
detection of malicious URLs.pptx
bymanash40
 
Malicious url detection using machine learning
byCysinfo Cyber Security Community
 
Fight fire with fire draft
byNishant Agrawal
 
Improving spam detection with automaton
byAntonio Costa aka Cooler_
 
State of the Art Analysis Approach for Identification of the Malignant URLs
byIOSRjournaljce
 
Lord of the bing b-sides atl
bySecurity B-Sides
 
ChongLiu-MaliciousURLDetection
byDaniel Liu
 
Detecting malicious URLs using binary classification through ada boost algori...
byIJECEIAES
 
MALICIOUS URL DETECTION USING CONVOLUTIONAL NEURAL NETWORK
byijcseit
 
IRJET- Detecting Malicious URLS using Machine Learning Techniques: A Comp...
byIRJET Journal
 
BrightonSEO
byRichard Falconer
 
Classification Model to Detect Malicious URL via Behaviour Analysis
byEditor IJCATR
 
Ista presentation-malicious url
byvinaykumar R
 

Recently uploaded

PPTX
STM Unit 1 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
PDF
RAMON Scrap quality detection system.pdf
bymohamedassar81
 
PPT
Introduction to ARTIFICIAL INTELLIGENCES
byKAVITHAA49
 
PPTX
reference material iso 45001_2018.pptx reference material iso 45001_2018.pptx
byMelwinPaul6
 
PPT
Escape-17-plenary-gani-grossmann-final.ppt
bynewjourneynewlife201
 
PPTX
Unit 5 - THERMO ELECTRIC ENERGY BASED PROCESSES .pptx
byarivazhaganrajangam
 
PDF
22nd Safety Convention by IE(I) dt 27.12.25 by Rajesh Prasad.pdf
byRajesh Prasad
 
PPTX
410776623-5G 3GPP STANDARED-Overview.pptx
byMohamedshabana38
 
PPT
Unit 1 - SHAPER, MILLING AND GEAR CUTTING MACHINES .ppt
byarivazhaganrajangam
 
PPTX
Chapter4- Continuous-Time Markov Models- Stpchastoc Processes- Dr. Zahedi.pptx
byzahedicourse
 
PDF
Module 3 Python progr1BPLCK105B-By Dr.SV.pdf
bySURESHA V
 
PDF
convex_hull generation using the Quickhull
by😀 Shahrokh Paravarzar, PhD, E.I.T
 
PPT
Uncertainty Slides for Artificial Intelligence.pptx
bykingofsevenrings1510
 
PPT
TOWERS AND COLUMNS,maintenance and inspection.ppt
byamalthomas9447
 
PPTX
AI INTRODUCTION New Microsoft Office PowerPoint Presentation.pptx
byb23cs183
 
PPTX
understand the basic need , guidelines of value of process of education
byMITS
 
PPTX
PVD MNA 501 Recipe Review with understanding
byNritaGaur1
 
PPTX
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
PDF
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
PPTX
PEMET 413 COMPOSITE MATERIALS MOD1 LECTURE 3.pptx
byVinayB68
 
STM Unit 1 Complete notes for engineering students for better understanding
byLakshmiVivekaKesanap
 
RAMON Scrap quality detection system.pdf
bymohamedassar81
 
Introduction to ARTIFICIAL INTELLIGENCES
byKAVITHAA49
 
reference material iso 45001_2018.pptx reference material iso 45001_2018.pptx
byMelwinPaul6
 
Escape-17-plenary-gani-grossmann-final.ppt
bynewjourneynewlife201
 
Unit 5 - THERMO ELECTRIC ENERGY BASED PROCESSES .pptx
byarivazhaganrajangam
 
22nd Safety Convention by IE(I) dt 27.12.25 by Rajesh Prasad.pdf
byRajesh Prasad
 
410776623-5G 3GPP STANDARED-Overview.pptx
byMohamedshabana38
 
Unit 1 - SHAPER, MILLING AND GEAR CUTTING MACHINES .ppt
byarivazhaganrajangam
 
Chapter4- Continuous-Time Markov Models- Stpchastoc Processes- Dr. Zahedi.pptx
byzahedicourse
 
Module 3 Python progr1BPLCK105B-By Dr.SV.pdf
bySURESHA V
 
convex_hull generation using the Quickhull
by😀 Shahrokh Paravarzar, PhD, E.I.T
 
Uncertainty Slides for Artificial Intelligence.pptx
bykingofsevenrings1510
 
TOWERS AND COLUMNS,maintenance and inspection.ppt
byamalthomas9447
 
AI INTRODUCTION New Microsoft Office PowerPoint Presentation.pptx
byb23cs183
 
understand the basic need , guidelines of value of process of education
byMITS
 
PVD MNA 501 Recipe Review with understanding
byNritaGaur1
 
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
PEMET 413 COMPOSITE MATERIALS MOD1 LECTURE 3.pptx
byVinayB68
 

AutoBLG by Sun Bo

  • 1.
    1 AutoBLG: Automatic URLBlacklist Generator Using Search Space Expansion and Filters Bo Sun1,Mitsuaki Akiyama2,Takeshi Yagi2,     Mitsuhiro Hatada1,Tatsuya Mori1 1,Waseda University 2,NTT Secure Platform Laboratories IEEE  ISCC  2015
  • 2.
    Background(1) •  The estimatednumber of drive-by-download attacks is 4.3 M per day 2   7% 93% The  number  of  web-­‐based  a1acks   other  a0acks   drive-­‐by-­‐download  a0ack  
  • 3.
    Background(2) •  What isDrive-by-download attack 3   user Landing page URL        Exploit URL    Malware download URL     download malware automatically exploit vulnerabilities Click on URL
  • 4.
    Background(3) •  What isURL Blacklist 4   user Landing page URL          Exploit URL   Malware download URL Landing page URL Exploit URL URL Blacklist Matching Block Malware download URL
  • 5.
    Background(4) •  However, URLBlacklist cannot cope with previously unseen malicious URLs •  It is crucial to keep the URLs updated to make a URL blacklist effective 5   To collect fresh malicious URLs
  • 6.
    Background(5) 6   30 trillion uniqueURLs Wild Internet Web client honeypot Scan
  • 7.
    7   Goal • Ourmain objective is to accelerate the process of generating a URL blacklist automatically. Idea Existing Malicious URLs New Malicious URLs Search Space Filter (Machine Learning) Expansion Reduction Input: Output:
  • 8.
    AutoBLG Framework •  Threeprimary components: 8   Img  from  h0p://www.itguyswa.com.au/free-­‐anJvirus-­‐protecJon/                                      h0ps://www.virustotal.com/ja/                                      h0p://www.soumu.go.jp/main_content/000174846.pdf 8   URL Expansion URL Flirtation 8   URL Verification
  • 9.
  • 10.
  • 11.
    URL Expansion(3) Passive DNSDatabase 11   sediscoXXXXXX.gruXXX.com vorXXXXXXX.zdjecXXXki.com Seed Pre- processing Passive DNS Database Search Engine Web Crawler
  • 12.
    URL Expansion(4) Search Engineand Web Crawler 12   http://100XXXXXwebcam.bXXX.pl/island-XXX-wXX.html http://100XXXXXwebcam.bXXX.pl/isteam-XXXX.html Seed Pre- processing Passive DNS Database Search Engine Web Crawler
  • 13.
    URL Filrtation 13  Imgfrom http://www.primalsecurity.net/0xc-python-tutorial-python-malware/ Existing Malicious URLs Unknown URLs Similarity Search HTML Features Bayesian sets
  • 14.
    URL Verification • Three tools for verification of drive-by- download attacks   Ø Web Client honeypot Marionette Ø Antivirus Software Ø Virustotal online service 14  
  • 15.
    Performance Evaluation 15   • The number of URL Expansion data: 59,394 •  No URL Filtration: more than 100 hours •  URL Filtration in use: approximately 6 hours To accelerate the process of generating blacklist URLs by adopting a high performance filter
  • 16.
    Results(1) 16   Web client honeypot Antivirussoftware Virustotal 1.16% 3.8% 16.5% •  Web Client Honeypot : definitely malicious Ø  it contained redirecting to the exploit web pages •  Antivirus Software : highly suspicious Ø  they contained several HTTP objects that were detected by the antivirus checkers; (malicious JavaScript or executable malware) •  VirusTotal : suspicious Ø  need further manual inspection
  • 17.
    Results(2) •  some URLsare identified by multiple tools •  After eliminating duplications, of the 600 of extracted URLs, 106 URLs were detected as malicious or suspicious •  Of the discovered 106 URLs, seven URLs are completely new URLs that have not been listed in the VirusTotal 17  
  • 18.
    Limitation and futurework
 18   Item Limitation Future work Search Engine Only get Top-50 search results To accelerate web search engine process Web Crawler evaded by ‘cloaking techniques’ To develop more sophisticated tools Query Pattern Miss several malicious URLs To increase the number of query patterns URL Verification Only two version of browser or plug-in To adopt a low- interaction honeypot Online operation Not fully online due to URL Expansion part To pipeline URL expansion step
  • 19.
    Summary •  We haveproposed the AutoBLG framework Ø  light-weight Ø  new and previously unknown drive-by-download URLs Ø  other suspicious URLs that need for further analysis   •  Key ideas Ø  the use of search space expansion and filters •  We proposed a high-performance filter Ø  it reduced number of URLs to be investigated with the dynamic analysis systems by 99% Ø  while successfully finding new URLs that have not been listed in the widely used popular URL reputation system 19  
  • 20.
    Thank you foryour listening 20
  • 21.
    URL Filtration(1)Feature Extraction 21   HTML Feature Difference with pervious works The number of elements with a small area Frameset tags border,frameborder,framespacing The number of suspicious word in the script’s content some strings such as shellcode ,shcode. The number of URLs with a different domain Only count URL with different domain.     The number of iframe and frame tags       same The number of hidden elements The number of meta refresh tags The number of out-of-place elements The number of embed and object tags The presence of unescape behavior The number of setTimeout functions
  • 22.
    URL Filtration(2)Similarity Search 22   Similarity Search: Bayesian Sets From web space Toyota Nissan Honda BMW Ford Audi Mitsubishi Mazda Volkswagen Google Sets From all unknown URLs Adopting several existing malicious URL as query (Malicious URLs that are created with same Exploit Kit) To output all URLs’ Score in descending order. The higher score is, the more probably URL is Malicious 22  
  • 23.
    The range ofexperiment 23   Preliminary Experiment Performance Evaluation URL Expansion URL Filtration URL Verification •Commercial blacklist •Pre-processing •Passive DNS database •Search Engine •Web crawler •Feature Extraction •Similarity Search •Web Client Honeypot •Antivirus Software •VirusTotal Steps in URL Expansion Steps in URL Filtration Tools in URL Verification 23  
  • 24.
    Preliminary Experiment 24   100 101 102 103 Top-K URLs 0 1 2 3 ThenumberofMaliciousURLs Query Pattern1 Query Pattern2 •  Experiment Data Ø  The number of benign URLs:10,000 Ø  The number of malicious URLs:6 •  Experiment Result Ø  The two query patterns identify different three malicious URLs in top 300 scores respectively and extract all the six malicious URLs totally Ø  we considered the top 300 scores as the   threshold for URL filtration. 24