EvilSeed: A Guided Approach to Finding Malicious Web Pages

Similar documents

EVILSEED: A Guided Approach to Finding Malicious Web Pages

EVILSEED: A Guided Approach to Finding Malicious Web Pages

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Web Client Attacks. Scribed by Gelareh Taban. April 21, Web Server Attacks continued

Website Marketing Audit. Example, inc. Website Marketing Audit. For. Example, INC. Provided by

Deciphering and Mitigating Blackhole Spam from -borne Threats

Basheer Al-Duwairi Jordan University of Science & Technology

Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages

Baidu: Webmaster Tools Overview and Guidelines

CS 558 Internet Systems and Technologies

Don t scan, just ask A new approach of identifying vulnerable web applications. 28th Chaos Communication Congress, 12/28/11 - Berlin

Is your SEO campaign giving you a headache?

Detection of Malicious URLs by Correlating the Chains of Redirection in an Online Social Network (Twitter)

Fighting Parasite Hosting: Identifying and Mitigating Unauthorized Ads on Your Webserver

Search Engine Optimization and Pay Per Click Building Your Online Success

DNSSEC. Matthäus Wander. Erlangen, April 20, and the Hassle of Negative Responses.

Leveraging User Interactions for In-Depth Testing of Web Applications

Search engine optimization: Black hat Cloaking Detection technique

A Practical Attack to De Anonymize Social Network Users

What to do Post Google Panda

1. SEO INFORMATION...2

Search Engine Optimisation Checklist. Please highlight the 20 most important keywords for your practice from the list below.

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Website Search Engine Optimization. Presented by: David Backes Senior Account Executive Anvil Media Inc.

SOLUTIONS FOR TOMORROW

CLIENT: American Red Ball Transit Co., Inc.

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

Threat Spotlight: Angler Lurking in the Domain Shadows

Custom Online Marketing Program Proposal for: Hearthstone Homes

SEO Techniques for Higher Visibility LeadFormix Best Practices

Findability Consulting Services

Search Engine Optimization Content is Key. Emerald Web Sites-SEO 1

NTT R&D s anti-malware technologies

OPTIMIZATION SEARCH ENGINE WHAT IS SEO? (855)

A Quick Start Guide On How To Promote Your Site Using Do It Myself SEO

Table of contents. HTML5 Data Bindings SEO DMXzone

About MKE Nazaret St. Floor 1 Office 11 - Las Rosas, Córdoba, Argentina - Tel

Our Five Step Guide To Successful Internet Marketing. Getting the best from your website: An introductory guide

SEO and Domain Name Best Practices

Website Audit Reports

SEARCH ENGINE OPTIMIZATION

Online Marketing Company INDIA Digital Marketing Training

In fact, one of the biggest challenges that the evolution of the Internet is facing today, is related to the question of Identity Management [1].

We all need to be able to capture our profit generating keywords and understand what it is that is adding the most value to our business in 2014.

Introduction 3. Step One: Create a Keyword Strategy 4. Step Two: Optimize Your Website 7. Step Three: Create Blog and Other Content 14

SEO FOR VIDEO: FIVE WAYS TO MAKE YOUR VIDEOS EASIER TO FIND

Don DeBolt and Kiran Bandla 29 September 2010

Web School: Search Engine Optimization

Removing Web Spam Links from Search Engine Results

Search Engine Submission

an Essential Marketing Grow Your Business Online: The Commercial Approach to Search Engine Marketing Prepared by Flex4, December 2011, v1.

Website Design 2. Branding & Design 3. SEO (Search Engine Optimisation) 4. Social Media 5. Lead Generation 6. Online Advertising 6

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

SEO - SMO- SEM - PPC - VSEO

Simple SEO Success. Google Analytics & Google Webmaster Tools

For Your Online Success

Web Vulnerability Scanner by Using HTTP Method

An analysis of the effectiveness of personalized spam using online social network public information

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Development and Industrial Application of Multi-Domain Security Testing Technologies. Innovation Sheet Model Inference Assisted Evolutionary Fuzzing

SEO Audit Report For Ravenna Way Ravenna Way Boynton Beach FL 33437

Web Forensic Evidence of SQL Injection Analysis

SEO: What is it and Why is it Important?

Bridging CAQDAS with text mining: Text analyst s toolbox for Big Data: Science in the Media Project

SEO Marketing Strategy. Keeping you connected through SEO

Search Engine Optimization & Social Media

HubSpot's Website Grader

What is a Mobile Responsive Website?

DIGITAL MARKETING TRAINING

Data Mining in Web Search Engine Optimization and User Assisted Rank Results

High-Speed Detection of Unsolicited Bulk

Campaign Goals, Objectives and Timeline SEO & Pay Per Click Process SEO Case Studies SEO & PPC Strategy On Page SEO Off Page SEO Pricing Plans Why Us

Pella Hosting and Website Development solutions@pellahosting.com 809 West 8 th Street Pella, IA Website Planning Worksheet

Mobile Responsive Web Design

Intercept Anti-Spam Quick Start Guide

Mobile in 2015: Why Your Website Must Be Responsive

HackAlert Malware Monitoring

Study Guide #2 for MKTG 469 Advertising Types of online advertising:

What is a Mobile Responsive Website?

Firewall Testing Methodology W H I T E P A P E R

Vulnerability Assessment and Penetration Testing

Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware.

Fusesix. Design Programming Development Marketing. Fusesix Web Services South Carolina, USA. Phone:

SEO Analysis Guide CreatorSEO easy to use SEO tools

OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING

2013 MONITORAPP Co., Ltd.

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

2015 ftld SEO and Domain Name Best Practices. SEO and Domain Names: Best Practices, Moving Your Site

Best Practices for WordPress and SEO

Web Design Tools and Planning Principles

30 Website Audit Report. 6 Website Audit Report. 18 Website Audit Report. 12 Website Audit Report. Package Name 3

NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA

Threat Intelligence is Dead. Long Live Threat Intelligence!

User Guide to the Content Analysis Tool

Promoting Your Business Online

Schema documentation for types1.2.xsd

WEB DESIGN TIME? KEEP THESE 9 ELEMENTS IN MIND

We Know It Before You Do: Predicting Malicious Domains

Transcription:

EvilSeed: A Guided Approach to Finding Malicious Web Pages L. Invernizzi 1 S. Benvenuti 2 M. Cova 3,5 P. Milani Comparetti 4,5 C. Kruegel 1 G. Vigna 1 1 UC Santa Barbara 2 University of Genova 3 University of Birmingham 4 Vienna University of Technology 5 Lastline, Inc. IEEE Security & Privacy 2012

Finding malicious URLs

Landing and exploit pages

Landing and exploit pages

Landing and exploit pages

Landing and exploit pages

Landing and exploit pages

Landing and exploit pages

Landing and exploit pages

Finding malicious URLs

Finding malicious URLs

Finding malicious URLs is hard! Wepawet Over 120 thousand URLs analyzed per day by the oracle. Available online: http://wepawet.cs.ucsb.edu The problem 0, 138% of the URLs reached with a random crawl are malicious

Our goal Finding malicious URLs efficiently

What can a malicious URL tell us?

Gadgets

EvilSeed

Links gadget Designed to locate malware hubs Example query: link:http://malicious-url.com

Links gadget

Links gadget

Content Dorks gadget Creates signatures from the content of landing pages. Two methods: n-gram extraction term-extraction (e.g., cnn.com yields: Eurozone recession, gay wedding, Facebook attack, graphic content)

Content Dorks gadget

Content Dorks gadget

Content Dorks gadget

Content Dorks gadget

Content Dorks gadget

SEO gadget

SEO gadget Expansion strategies: Find pages with similar content as Google sees it (e.g., query for title:"free iphones") Find pages hosted on the same domain (e.g., query for site:seo.com) Follow links

Domain Registrations gadget We know that: http://a.com/exploit is malicious. a.com has been registered moments before b.com We suspect that: http://b.com/exploit is also malicious

DNS Queries gadget

DNS Queries gadget

DNS Queries gadget

Evaluation metrics Toxicity = URLs classified as malicious URLs submitted to the Oracle Seed Expansion = malicious URLs found by EvilSeed seed size

Online evaluation: URLs Source Seed Analyzed Malicious Toxicity Expansion Crawler w/ Prefilter 437,251 604 0.14% EvilSeed Links 604 71,272 1,097 1.53% 1.81 SEO 604 312 16 5.12% 0.02 Keywords 604 13,896 477 3.43% 0.78 Ngrams 604 140,660 1,446 1.02% 2.39 Total 226,140 3,036 1.34% 5.02 Web Search Random Strings 24,137 68 0.28% Random Dictionary 27,242 107 0.39% Trending Topics 8,051 27 0.33% Manual Dorks 4,506 17 0.37%

Online evaluation: domains Source Seed Analyzed Malicious Toxicity Expansion Crawler w/ Prefilter 53,445 98 0.18% EvilSeed Links 98 7,664 107 1.39% 1.09 SEO 98 7 5 71.42% 0.07 Keywords 98 3,245 119 3.66% 1.22 Ngrams 98 33,510 263 0.78% 2.68 Total 44,426 494 1.12% 5.04 Web Search Random Strings 4,227 16 0.37% Random Dictionary 9,285 35 0.37% Trending Topics 1,768 8 0.45% Manual Dorks 3,032 13 0.42%

DNS evaluation Data: 377,472,280 DNS resolutions 115 malicious seeds Resulting in 3.5% toxicity, 1.48 seed expansion

EvilSeed for Search Engines

EvilSeed for Search Engines

EvilSeed for Search Engines

EvilSeed for Search Engines

EvilSeed for Search Engines

Conclusions Finding malicious urls is important to protect the users

Conclusions Finding malicious urls is important to protect the users, but it s hard

Conclusions Finding malicious urls is important to protect the users, but it s hard It s critical to generate feeds with high toxicity ( high efficiency)

Conclusions Finding malicious urls is important to protect the users, but it s hard It s critical to generate feeds with high toxicity ( high efficiency) We designed EvilSeed, a guided search approach that is a ten-fold efficency improvement over crawling

Conclusions Finding malicious urls is important to protect the users, but it s hard It s critical to generate feeds with high toxicity ( high efficiency) We designed EvilSeed, a guided search approach that is a ten-fold efficency improvement over crawling But crawling is needed nontheless, to generate the evil seed

Thanks! http://bit.ly/evilseed invernizzi@cs.ucsb.edu

Thanks! http://bit.ly/evilseed invernizzi@cs.ucsb.edu

SEO evaluation URLs Cloaking Seeds 248 Visited 1,219,090 Analyzed 12,063 Malicious 11,384 Toxicity 94.37% (Crawler s: 0.14%) Malicious Visited 0.93% Expansion 45.90