簡易檢索 / 詳目顯示

回結果列表
研究生: 蘇珮涵
Pei-Han Su
論文名稱: 基於瀏覽器特徵分析識別由二進制型廣告注入器產生之惡意網址
Identifying Malicious URLs from Binary-based Ad Injectors by Browser Features Analysis
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 鄭博仁
Bo-Ren Jeng
鄭欣明
Shin-Ming Jeng
沈金祥
Jin-Shiang Shen
林豐澤
Feng-Tze Lin
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2017
畢業學年度: 105
語文別: 中文
論文頁數: 54
中文關鍵詞: 廣告注入器瀏覽器特徵二進制型廣告注入器可能不必要的應用程式
外文關鍵詞: ad injector, browser features, binary-based, potentially unwanted program
相關次數: 點閱:196下載:13
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  •  上一筆

    • 近年來,不必要的應用程式已經成為使用者主要的安全威脅之一。並隨著雲端的世代的來臨,網頁瀏覽器控制大量的資訊,以及社交互動,更是儲存了許多重要的敏感資料。
    即使可能不必要的應用程式本身並非惡意的行為,但仍會對使用者造成侵入性的困擾,例如:廣告注入、挾持瀏覽器設定、同時伴隨其他不必要的應用程式下載及監控使用者上網及瀏覽行為等。廣告注入器就是可能不必要的應用程式的最好的例子之一。安裝的媒介有3種:瀏覽器擴充功能型、二進制型、網路型。

    在本篇研究,我們的目標為針對二進制型的廣告注入器,藉由觸發廣告注入行為進行觀察。我們提供了一個大幅減少人工分析廣告注入器時間的方法,透過瀏覽器的特徵作為辨認惡意網址的依據。我們開發了一套過濾方法濾掉部分不需要參考的網址,留下可疑、值得被分析的網址。

    本研究結果顯示,濾掉的URLs可以達到準確率98.10\%以及召回率98.10\%。本研究提出了幾點貢獻:(1)發展一套可以重複使用的方法來偵測影響Google用戶的廣告注入; (2)使用廣告注入關鍵的特徵以及與二進制型的廣告注入器進行互動,藉此觸發注入行為; (3)提出了一種利用瀏覽器特徵分析識別由二進制型廣告注入器產生惡意URL的方法; (4)呈現一個完整的案例探討,藉此說明廣告注入器是如何攻擊使用者。

    In recent years, unwanted applications have become one of the major security threats to users. With the coming of the cloud generation, web browsers control a lot of information, as well as social interaction, but also save a lot of important sensitive information.
    Even if the potentially unwanted programs may not be malicious in itself, they will still be intrusive to the user, such as ad injection, hijacking browser settings, and bundling other unwanted software to download and monitoring the users' Browsing behavior and so on. The ad injector is one of the best examples of unwanted programs. There are three kinds of installed vectors: extension-based, binary-based, network-based.

    In this study, our goal is to target ad injectors for binary execution, by triggering ad injection behavior. We've provided an approach to significantly reduce the time it takes to manually analyze ad injectors, which is based on the characteristics of the browser to identify malicious URLs. We've developed a set of filtering methods. To filter out URLs that do not require reference and leave suspicious and worthwhile URLs.

    The results of this study show that the URLs are filtered at a precision rate of 98.10\% and a recall rate of 98.10\%. This study presents several contributions: (1) developing a reusable method to detect Google User's ad injection; (2) triggering injection behavior by using ad injection key features and interacting with the binary ad injector; (3) identifying malicious URLs from binary-based ad injectors by browser features analysis; (4) presenting a comprehensive case study of how the ad injector attacks the user.

    1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Challenges and Goals . . . . . . . . . . . . . . . . . . . 4 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 The Outline of Thesis . . . . . . . . . . . . . . . . . . . 5 2 Background and RelatedWork 6 2.1 Pay-Per-Install Network . . . . . . . . . . . . . . . . . 6 2.2 Potentially Unwanted Program . . . . . . . . . . . . . . 9 2.3 Ad Injectors . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1 The Severity of Ad Injectors . . . . . . . . . . . 11 2.3.2 Malvertising . . . . . . . . . . . . . . . . . . . 12 2.3.3 Ad Injection Practices . . . . . . . . . . . . . . 12 2.3.4 Extension-based Ad Injectors . . . . . . . . . . 13 2.3.5 Binary-based Ad Injectors . . . . . . . . . . . . 15 3 Identifying Malicious URLs from Binary-based Ad Injectors by Browser Features Analysis 17 3.1 Ad Injectors Network Behaviors Recorder . . . . . . . . 19 3.1.1 Identifying Potential Triggering Websites . . . . 20 3.1.2 Using Bare-metal Machine to Defeat Anti-techiniques 20 3.1.3 Decrypting SSL or TLS Traffic with Wireshark . 21 3.2 Browser Information Crawler . . . . . . . . . . . . . . . 21 3.3 Ad Injection URLs Filter . . . . . . . . . . . . . . . . . 23 3.3.1 Heterogeneous Data Resources Integration . . . 24 3.3.2 Browser Feature Extractor . . . . . . . . . . . . 24 3.3.3 Decision Tree Classification . . . . . . . . . . . 27 3.3.4 Ad Injectors Detection . . . . . . . . . . . . . . 28 3.3.5 Time Series Reconstruction . . . . . . . . . . . 28 4 Experiments and Results 30 4.1 Experiment Design and Dataset . . . . . . . . . . . . . . 30 4.1.1 Experiment Concept and Description . . . . . . 31 4.1.2 Datasets . . . . . . . . . . . . . . . . . . . . . . 31 4.2 Evaluation Metrics . . . . . . . . . . . . . . . . . . . . 33 4.3 Effectiveness Analysis . . . . . . . . . . . . . . . . . . 34 4.3.1 Filtering Ratio . . . . . . . . . . . . . . . . . . 35 4.3.2 The Comparison of Bare-metal and Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . 36 4.3.3 Case Studies . . . . . . . . . . . . . . . . . . . 39 4.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . 43 5 Conclusions and FurtherWork 44 5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . 45

    [1] “Amonetize: Pay per install.” [Online]. Available: http://www.pay-per-install.com/Amonetize.html
    [2] Alexa, “Alexa top websites.” [Online]. Available: http://www.alexa.com/topsites
    [3] S. Arshad, A. Kharraz, and W. Robertson, Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance. Cham: Springer International Publishing, 2016, pp. 415–436. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-45719-2 19
    [4] S. Arshad, A. Kharraz, and W. Robertson, Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions. Berlin, Heidelberg: Springer Berlin Heidelberg, 2017, pp. 441–459. [Online]. Available: http://dx.doi.org/10.1007/978-3-662-54970-4 26
    [5] Avast, “Avast: Enable detection of potentially unwanted programs (pups).” [Online]. Available: http://ccm.net/faq/15731-avast-enable-detection-of-potentially-unwanted-programs
    [6] AVG, “What are potentially unwanted programs (pup).” [On-line]. Available: https://support.avg.com/SupportArticleView?l=enUS&urlName=What-is-Potentially-Unwanted-Program-PUP
    [7] N. Bielova, “Survey on javascript security policies and their enforcement mechanisms in a web browser,” The Journal of Logic and Algebraic Programming, vol. 82, no. 8, pp. 243–262, 2013.
    [8] B. E. Brandi., “The ad networks and advertisers that fund ad injectors,” 2014. [Online]. Available: http://www.benedelman.org/injectors/
    [9] J. D. Brutlag, “Aberrant behavior detection in time series for network monitoring,”in Proceedings of the 14th USENIX conference on System administration. USENIX Association, 2000, pp. 139–146.
    [10] J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring pay-per-install: The commoditization of malware distribution.” in Usenix security symposium, 2011, p. 15.
    [11] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, “Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,”in Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on. IEEE, 2008, pp. 177–186.
    [12] D. Coldewey, “Marriott puts an end to shady ad injection service,”2012. [Online]. Available: https://techcrunch.com/2012/04/09/marriott-puts-an-end-to-shady-ad-injection-service/
    [13] M. Cova, C. Leita, O. Thonnard, A. D. Keromytis, and M. Dacier, “An analysis of rogue av campaigns,” in International Workshop on Recent Advances in Intrusion Detection. Springer, 2010, pp. 442–463.
    [14] CrunchBase, “Installmonetizer.” [Online]. Available: https://www.crunchbase.com/product/installmonetizer#/entity
    [15] CrunchBase, “Opencandy.” [Online]. Available: https://www.crunchbase.com/product/opencandy#/entity
    [16] N. Good, R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan, “Stopping spyware at the gate: a user study of privacy, notice and spyware,” in Proceedings of the 2005 symposium on Usable privacy and security. ACM, 2005, pp. 43–52.
    [17] N. S. Good, J. Grossklags, D. K. Mulligan, and J. A. Konstan, “Noticing notice: a large-scale experiment on the timing of software license agreements,” in Proceedings of the SIGCHI conference on Human factors in computing systems. ACM, 2007, pp. 607–616.
    [18] X. Han, N. Kheir, and D. Balzarotti, “The role of cloud services in malicious software: Trends and insights,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2015, pp. 187–204.
    [19] L. Invernizzi, S. Miskovic, R. Torres, C. Kruegel, S. Saha, G. Vigna, S.-J. Lee, and M. Mellia, “Nazca: Detecting malware distribution in large-scale networks.”in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS 14), vol. 14, 2014, pp. 23–26.
    [20] D. Kirat, G. Vigna, and C. Kruegel, “Barebox: efficient malware analysis on bare-metal,” in Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 2011, pp. 403–412.
    [21] P. Kotzias, L. Bilge, and J. Caballero, “Measuring pup prevalence and pup distribution through pay-per-install services,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 2016, pp. 739–756. [Online]. Available: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kotzias
    [22] P. Kotzias and J. Caballero, “An analysis of pay-per-install economics using entity graphs,” in The Workshop on the Economics of Information Security (WEIS), 2017. [Online]. Available: http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS 2017 paper 45.pdf
    [23] P. Kotzias, S. Matic, R. Rivera, and J. Caballero, “Certified pup: abuse in Authenticode code signing,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 465–478.
    [24] B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitras, “The dropper effect: Insights into malware distribution with downloader graph analytics,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015, pp. 1118–1129.
    [25] B. J. Kwon, V. Srinivas, A. Deshpande, and T. Dumitras, “Catching worms, trojan horses and pups: Unsupervised detection of silent delivery campaigns,” CoRR, vol. abs/1611.02787, 2016. [Online]. Available: http://arxiv.org/abs/1611.02787
    [26] K. Lab, “Kaspersky internet security 2011.” [Online]. Available: http://support.kaspersky.com/3914
    [27] C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Antonakakis, “A Lustrum of malware network communication: Evolution and insights,” in S&P 2017, 37th IEEE Symposium on Security and Privacy, May 23-25, 2017, San Jose, USA, San Jose, UNITED STATES, 05 2017. [Online]. Available: http://www.eurecom.fr/publication/5177
    [28] Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang, “Knowing your enemy: understanding and detecting malicious web advertising,” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 674–686.
    [29] G. Marvin, “Google study exposes tangled web of companies profiting from ad injection,” 2015. [Online]. Available: http://marketingland.com/ad-injector-study-google-127738
    [30] McAfee, “Crossrider.” [Online]. Available: https://www.mcafee.com/threat-intelligence/malware/default.aspx?id=6946096
    [31] McAfee, “Potentially unwanted programs (pups).” [Online]. Available: http://www.mcafee.com/us/threat-center/resources/pups-configuration.aspx#VSE7
    [32] S. McCoy, A. Everard, D. F. Galletta, and G. D. Moody, “Here we go again! the impact of website ad repetition on recall, intrusiveness, attitudes, and site revisit intentions,” Information & Management, vol. 54, no. 1, pp. 14–24, 2017.
    [33] Microsoft, “How microsoft antimalware products identify malware: unwanted software and malicious software.” [Online]. Available: https://www.microsoft.com/en-us/security/portal/mmpc/shared/objectivecriteria.aspx
    [34] Microsoft, “Pua: Win32/vopackage.” [Online]. Available: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PUA%3AWin32%2FVOPackage&ThreatID=213926
    [35] Orange3, “Data mining fruitful and fun.” [Online]. Available: https://orange.biolab.si/
    [36] C. Pickard and S. Miladinov, “Rogue software: Protection against potentially unwanted applications,” in 2012 7th International Conference on Malicious and Unwanted Software, Oct 2012, pp. 1–8.
    [37] PPI, “Best pay-per-install affiliate program reviews,” 2017. [Online]. Available: https://pay-per-install.com
    [38] M. A. Rajab, “Out with unwanted ad injectors.” [Online]. Available: https://security.googleblog.com/2015/03/out-with-unwanted-ad-injectors.html
    [39] M. N. Sakib and C.-T. Huang, “Automated collection and analysis of malware disseminated via online advertising,” in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1. IEEE, 2015, pp. 1411–1416.
    [40] K. Stevens, “The underground economy of the pay-per-install (ppi) business,”2009. [Online]. Available: https://www.secureworks.com/research/ppi
    [41] Symantec, “Adware.eorezo.” [Online]. Available: https://www.symantec.com/security response/writeup.jsp?docid=2012-061213-2441-99
    [42] Symantec, “Pua.wajam.” [Online]. Available: https://www.symantec.com/security response/writeup.jsp?docid=2014-100114-1231-99
    [43] K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. Mccoy, A. Nappa, V. Paxson, P. Pearce, N. Provos, and M. A. Rajab, “Ad injection at scale: Assessing deceptive advertisement modifications,” in Proceedings of the 2015 IEEE Symposium on Security and Privacy, ser. SP ’15. Washington, DC, USA: IEEE Computer Society, 2015, pp. 151–167. [Online]. Available: http://dx.doi.org/10.1109/SP.2015.17
    [44] K. Thomas, J. A. E. Crespo, R. Rasti, J.-M. Picod, C. Phillips, M.-A. Decoste, C. Sharp, F. Tirelo, A. Tofigh, M.-A. Courteau, L. Ballard, R. Shield, N. Jagpal, M. A. Rajab, P. Mavrommatis, N. Provos, E. Bursztein, and D. McCoy, “Investigating commercial pay-per-install and the distribution of unwanted
    software,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 2016, pp. 721–739. [Online]. Available: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/thomas
    [45] ThreatMiner.org, 2017. [Online]. Available: https://www.threatminer.org/
    [46] TrendMicro, “Adw vitruvian.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/adw vitruvian
    [47] virustotal, “Virustotal - free online virus, malware and url scanner.” 2017.
    [Online]. Available: https://www.virustotal.com/
    [48] T. Vissers, W. Joosen, and N. Nikiforakis, “Parking sensors: Analyzing and detecting parked domains.” in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS 15), 2015. [Online]. Available: http://dx.doi.org/10.14722/ndss.2015.230053
    [49] X. Xing, W. Meng, B. Lee, U. Weinsberg, A. Sheth, R. Perdisci, and W. Lee, “Understanding malvertising through ad-injecting browser extensions,”in Proceedings of the 24th International Conference on World Wide Web, ser. WWW ’15. Republic and Canton of Geneva, Switzerland: International World
    Wide Web Conferences Steering Committee, 2015, pp. 1286–1295. [Online]. Available: https://doi.org/10.1145/2736277.2741630
    [50] A. Zarras, A. Kapravelos, G. Stringhini, T. Holz, C. Kruegel, and G. Vigna, “The dark alleys of madison avenue: Understanding malicious advertisements,” in Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 2014, pp. 373–380.

    QR CODE