The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Proceedings of the 2008 ACM symposium on Applied computing
True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots
SECURWARE '09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies
Use of Deception to Improve Client Honeypot Detection of Drive-by-Download Attacks
FAC '09 Proceedings of the 5th International Conference on Foundations of Augmented Cognition. Neuroergonomics and Operational Neuroscience: Held as Part of HCI International 2009
HICSS '10 Proceedings of the 2010 43rd Hawaii International Conference on System Sciences
Detection and analysis of drive-by-download attacks and malicious JavaScript code
Proceedings of the 19th international conference on World wide web
Hi-index | 0.00 |
Drive-by-download attacks are client-side attacks that originate from web servers that are visited by web browsers. While many web browsers are vulnerable to the drive-by-download attacks, the cost of detecting malicious web pages that launch drive-by-download attacks is expensive. High-interaction client honeypots are security devices capable of detecting malicious web pages; however, their slow and expensive operations in web page visiting have been considered as a problem. The high-interaction client honeypots employ a visitation algorithm to pinpoint which page has made an unauthorized change of system state when any unauthorized change of the system state occurred after visiting suspicious web pages. To improve the performance of the high-interaction client honeypots, we propose a new visitation algorithm, logarithmic divide-and-conquer (LDAC), for identifying malicious web pages. The LDAC algorithm is an enhanced version of the existing binary divide-and-conquer (BDAC) algorithm. If any system state is abnormally changed after having visited k suspicious web pages concurrently, our LDAC algorithm divides the buffer of k pages into [log2k] pieces and recursively visits the pieces until the malicious page or pages are identified, while the BDAC splits the buffer into k/2 portions. Experimental results show that the LDAC has improved performance of the system up to 15 percent compared to the BDAC algorithm.