Feature-Based Approaches to Detect Drive-By Download Attacks

Abstract

Malicious web pages contain malicious code that can exploit a visitor’s computer system. When a visitor visits a malicious web page, it exploits vulnerabilities on the visitor’s computer system. A successful exploit can lead to downloading and installing a malware on the visitor’s computer system without the visitor’s consent. This type of attacks is called drive-by download attack.

Malicious web pages have become significant security issue. The number of malicious web pages has increased significantly and it has raised a special concern from communities. Identification of malicious web pages based upon extracting and analyzing web page features has become an active research area. In term of the features, the research uses a range of different features. Some of them use features from properties of web servers and domain name servers while some of them use features extracted from contents of web pages. Others use features by rending and executing web pages to monitor potential system events. The range of features used raises the question “What are the most useful features for identifying malicious webpages?”.

In addition, the number of web pages on the Internet is very large while the number of malicious web pages is very small. To scan web pages on the Internet for malicious ones scales poorly. As a result, it is necessary to improve the scalability in order to allow large numbers of web pages to be scanned. Furthermore, it would be desirable to be able to trade off accuracy for speed for circumstances where the aim is to collect malware rather than identify all potential malicious web pages.

This research explores how drive-by download attacks happen and uses this knowledge to develop an approach to detect them effectively based on characteristics of features. We identified the anatomy of drive-by download attacks. Based on the anatomy, we created state-change model of HTML documents and identified potential features to distinguish between benign web pages and malicious ones. We also used the anatomy to identify limitation of each type of features and relationship between them. The features, their limitations and relationships, are in a framework to evaluate features used on detecting malicious web pages.

Based on characteristics of features, we found some features were fast to obtain but they were less valuable. They could be used to identify potential malicious web pages to reduce suspicious web pages which need to be inspected by experts or expensive devices. Therefore, we proposed a novel scoring model to identify potential malicious web pages. It used some different types of light-weight features and gave scores of maliciousness of web pages based on each type of features. It then combined these maliciousness scores to form a final maliciousness score for each web page. The experiment showed that our novel scoring model works very effectively.

Characteristics of features also showed that some features were extracted by rending and executing web pages while others were obtained without executing them. Therefore, the former required much more time and resources than the latter. We took this into account to propose two-stage classification to detect malicious web pages. The two-stage classification model used static features to filter potential malicious web pages and forwarded them to the second stage to classify them. Our experiment showed that the two-stage classification model worked very effectively in term of speed and cost.

Based on the anatomy of drive-by download attack, the key step to carry out a drive-by download attack is to exploit vulnerabilities in a visitor’s computer system in order to execute malicious shellcode. The exploitation is not always successful because the runtime environment at the visitor’s computer is usually unknown. If the exploit fails, the malicious shellcode is not executed and attackers can not take control over the visitor’s computer system. There is no malicious activity happening. Therefore, detection devices working on malicious activities cannot detect the attack. It raises the challenge about monitoring features that can be used to track malicious shellcode delivery to a visitor’s computer system during visitation. We took this question into account by analysing heap-spray attack - a common method to deliver malicious shellcode in a drive-by download attack. Based on characteristics of heap-spray attacks, we proposed a statistical method to detect this attack.