Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security (CCS),
Identifying malicious web sites has become a major challenge in today’s Internet. Previous work focused on detecting if a web site is malicious by dynamically executing JavaScript in instrumented environments or by rendering web sites in client honeypots. Both techniques bear a significant evaluation overhead, since the analysis can take up to tens of seconds or even minutes per sample.
In this paper, we introduce a novel, purely static analysis approach, the Delta-system, that (i) extracts change-related features between two versions of the same website, (ii) uses a machine-learning algorithm to derive a model of web site changes, (iii) detects if a change was malicious or benign, (iv) identifies the underlying infection vector campaign based on clustering, and (iv) generates an identifying signature.
We demonstrate the effectiveness of the Delta-system by evaluating it on a dataset of over 26 million pairs of web sites by running next to a web crawler for a period of four months. Over this time span, the Delta-system successfully identified previously unknown infection campaigns. Including a campaign that targeted installations of the Discuz!X Internet forum software by injecting infection vectors into these forums and redirecting forum readers to an installation of the Cool Exploit Kit.
@inproceedings{ccs2013-delta,
title = {{Delta: Automatic Identification of Unknown Web-based Infection Campaigns}},
author = {Borgolte, Kevin and Kruegel, Christopher and Vigna, Giovanni},
booktitle = {Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security (CCS)},
acmid = {2516725},
date = {2013-11},
doi = {10.1145/2508859.2516725},
edition = {20},
editor = {Gligor, Virgil D. and Yung, Moti},
isbn = {978-1-4503-2477-9},
location = {Berlin, Germany},
numpages = {12},
pages = {109--120},
publisher = {Association for Computing Machinery (ACM)},
url = {https://doi.org/10.1145/2508859.2516725}
}