Automated Web Patrol with Strider Honey. Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities Authors: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King Presented By: Kim Giglia CSC 682 09/03/2008
Outline of Discussion Browser-based vulnerability exploits Honey. Monkey Detection System Anti-Exploit Process Weaknesses of Honey. Monkey Detection Experimental Results Conclusions
Browser Based Vulnerability Exploits Definition: Malicious activities performed by actual web sites that can be divided into 4 categories: code obfuscation, URL redirection, vulnerability exploitation, and malware installation
Browser Based Vulnerability Exploits Code Obfuscation – hard to read. Limits effectiveness of attack-signature-based detectors URL Redirection – redirecting to a URL.
Browser Based Vulnerability Exploits Vulnerability exploitation – exploit security holes in the browser Malware installation – installing unauthorized “attack” software. Viruses, backdoors, bot programs, Trojan programs, spyware, adware, etc.
Honey. Monkey Detection System Uses a 3 stage pipelined set of VM’s Monkey programs launch browser instances, visit URL’s, and wait for downloading of any code. Any. exe files or registry entries outside the browser sandbox constitutes an exploit.
Honey. Monkey Detection System
Honey. Monkey Detection System Weaknesses Exploiters could black-list IP addresses Can be mitigated by dynamic IP addresses behind multiple ISP’s VM’s can be detected Detect an exploiter who is testing As VM usage increases, detection will become harder
Honey. Monkey Detection System Weaknesses Tests can be performed to see if the surfer is a human. dialog boxes or CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) turing tests. Incorporate intelligence to handle dialog box questions, and to detect CAPTCHA tests
Honey. Monkey Detection System Weaknesses Cannot detect exploits that do not make persistent state changes Add VSED (Vulnerability Specific Exploit Detection) Honey. Monkeys only waited 2 minutes at each URL Use random wait times
Experimental Results Researchers generated two different lists of “interesting URL’s” for which stats where reported Suspicious URL’s Popular URL’s
Experimental Results After feeding lists to Honey. Monkey pipeline: 752 / 16, 190 suspicious URL’s were identified as exploit URL’s hosted on 288 sites 1, 036 / 1, 000 popular URL’s were identified as exploit URL’s on 470 sites. 11 / 710 exploit pages were among the 10, 000 most popular URL’s.
Conclusions The Strider Honey. Monkey system with additions can be evolved to help identify exploit web sites/ networks The Strider Honey. Monkey system with the VSED tool will still require manual maintenance and cannot catch zero-day exploits occurring inside the browser sandbox
Скачать презентацию Automated Web Patrol with Strider Honey Monkeys Finding
a56b9f547a1f4b048ae178a376408fe9.ppt